Tracking for badge carrier

ABSTRACT

A tracking system is disclosed that enables the tracking of a beacon device and a credential device being held by the beacon device. The beacon device may communicate with readers of an access control system using a first communication protocol whereas the credential device being held by the beacon device may communicate with readers of the access control system using a second communication protocol. As the beacon device and the credential device being held by the beacon device may also communicate with readers at different times, a beacon device may be associated with a credential device being held thereby such that tracking of one device enables inferred tracking of the other device.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application claims the benefits of and priority, under 35U.S.C. § 119(e), to U.S. Provisional Application Ser. No. 62/192,088,filed on Jul. 14, 2015, entitled “Tracking for Badge Carrier,” theentire disclosure of which is hereby incorporated by reference, in itsentirety, for all that it teaches and for all purposes.

FIELD

The present disclosure is generally directed to asset location tracking,and more specifically to asset location tracking using existing accesscontrol systems.

BACKGROUND

The ability to track assets—including human assets, such as employees orvisitors—in real time throughout a building or in multi-room premisescan be beneficial, particularly in certain fields. One such applicationis in the medical field, where the ability to track both nurses andpatients in a hospital, in real-time, is desirable. The solution forthis is often referred to as Real-Time Location Services (RTLS).

There are two types of technologies used to support RTLS: (1) passiveRFID (e.g. UHF), which utilizes cheap tags, coarse tracking andexpensive readers; and (2) active tags, which utilize RFID technologiesor a combination of technologies such as WiFi and Infrared (IR) that aregenerally much more expensive, but also yield much more precise locationdeterminations.

Employees or visitors to a secure facility such as a hospital are oftengiven an access badge or other device containing access credentials,which allows them to enter or exit one or more areas of the securefacility. In facilities that utilize tracking or location services,people that need to be tracked are often given an additional trackingdevice beyond the traditional access badge.

SUMMARY

Problematically, many people do not like to carry two separate devices(e.g. an access badge and a tracking device), as it is not onlycumbersome but more likely that one or both devices will become lost orseparated. Moreover, it is often expensive to install the trackingreaders needed to determine the location of tracking devices.

Existing physical access control systems and locks for the same alreadyprovide a powered infrastructure at regular intervals in a building thatcan be used to track people. Readers in these access control systems areincreasingly being fitted with Bluetooth (e.g., Bluetooth Low Energy(BLE)) capability.

It is with respect to the above issues and other problems that theembodiments presented herein were contemplated.

According to some embodiments of the present disclosure, a firsttracking device based on BLE and/or other communication protocols isprovided within or in the form of a physical lanyard, retractable badgereel or card holder sleeve or other device that can removably secure orbe attached to a second tracking device, such as a card or badge(referred to herein as a credential device). In some embodiments, thefirst tracking device would comprise a beacon device or similar devicethat broadcasts information. Such information could include dynamiclocation information and, optionally, one or both of identifyinformation associated with the holder or user and/or identityinformation associated with the tracking or beacon device, such as adevice identification number. The device identification number may bestatic or dynamic. A dynamic identification number is one that changesover time, although even a static identification number is subject toperiodic change. Advantageously, these embodiments avoid the need tointegrate the first tracking device and the second tracking device intoa single device, thereby saving implementation costs.

More specifically, embodiments of the present disclosure would allow thefirst tracking device (e.g. a beacon device in the form of the physicallanyard, the retractable badge reel, or the card holder) to hold acredential device (the second tracking device)—and, indeed, to provide ameans of securing the credential device to the user thereof—and stillserve as a tracking device. In some embodiments, a basket in whichlanyards (or retractable badge reels or card holder devices) are storedwhen not in use by visitors or other persons could automatically,wirelessly recharge multiple tracking devices simultaneously. Inembodiments where the tracking device is a retractable badge reel, it iseven feasible to recharge the battery using the extraction motion whenthe badge is extended and/or retracted from the reel.

As used herein, an access control system is a system that makes accesscontrol decisions. In one embodiment, the access control systemcomprises a plurality of readers configured to control access to aprotected resource at given access points, such as doors or gates, andfurther comprises one or more credential devices storing accesscredentials and configured to communicate with the readers. A centralhost or control panel may also comprise part of the access controlsystem. A mobile device may be a smartphone, a tablet, or any otherdevice comprising a processor, a data storage capability (e.g., computermemory), and a wireless communication capability. The mobile device mayfurther include a downloadable application that provides and controlsfunctionality of the device. For example, the mobile device applicationcan control the change of its identification number or that of a beacondevice or credential device. A user is an individual in possession of acredential device. A reader, which may also be referred to as a readingdevice or interrogator, is a device having a location (which may or maynot be fixed) near an access point to a protected resource, and that isconfigured to grant access to the protected resource—for example, uponreceipt of authorized credentials from a credential device. A reader maycomprise a contact-based or contactless communication interface (alsoreferred to herein as a wireless communication interface, which mayinclude one or both of a wireless communication receiver and a wirelesscommunication transmitter, or a wireless communication transceiver), amemory for storing at least instructions, and a processor for carryingout instructions stored in memory. In some embodiments, the instructionsmay be stored as firmware. The access control decision may be made in areader, in a tracking device, in a credential, or at a central host,control panel or other remote system in communication with thereader(s), tracking device(s) and credential(s) or in a combination ofany or all of these system components. The communication among thesystem components may be direct or indirect. For example, the trackingdevice and/or mobile device may provide a communication channel betweena reader and a remote system. In such a case, the reader would not makethe decision and would pass information to the remote system for makingthe access decision.

As used herein, “credentials” or “credential information” refer to anydata, set of data, encryption scheme, key, and/or transmission protocolstored in or on or used by a credential device to authenticate and/or toverify its authenticity with a reader, mobile device, and/orinterrogator. As used herein, “credential device” refers to the physicalsystem component that holds and provides a credential. For example, ifthe identify of one of the beacon device and the credential device ispreviously known to the access control system and the other of thebeacon device and credential device is unknown or anonymous as trackedby the access control system, the step of associating the beacon devicewith the credential device will also enable identification of theunknown device with the known device unassociated device. Similarly, ifboth devices are unknown or anonymous to the access control system,embodiments of the present disclosure will allow association of the twoanonymous devices. Credential devices include, but are not limited to,devices that transfer information to a reader, such as an RFID tag, aprinted card or badge, a fob, a disk, a smart card, a mobile device,beacon, a device with a magnetic stripe or bar code, etc. A credentialdevice may also comprise photograph and name printed on a badge or paperthat is visually inspected by a human. A credential device may comprisea contact-based or contactless communication interface. If wireless, thecommunication device may broadcast physical location informationcontinuously or periodically.

By way of example, visitors to a secure facility or location may beissued a credential device for authentication while visiting thefacility. A credential device may include its own power source, or usepower provided from another source, or be completely unpowered. Acredential device may comprise, for example, RFID components, (e.g., acapacitor, antenna, etc.). In this example, when the credential deviceis presented within an RFID field provided by another device (e.g. areader), the other device provides energy via the RFID field that can bestored in the capacitor of the credential device. As another example, acredential device may be a paper card with information encoded thereon(e.g. an image, text, and/or a 1-dimensional or 2-dimensional barcode).Powered credential devices may include, for example, a smartcard with anactive RFID tag (e.g. a tag powered by a power source internal to thesmartcard), or a mobile device. In some embodiments, the credentialdevice may be disposable.

Credential devices issued to visitors (or other individuals) may berequired to be attached to the visitor or other individual in a locationvisible by others. Alternatively, a visitor or other individual with acredential device may desire to attach the credential device to his orher person in a way that allows the credential device to be readilyavailable for presentation to a reader. The credential device may beconfigured to be attached to the visitor or other individual, forexample, using a lanyard, a badge holder, a badge reel, or anotheraccessory that facilitates the visitor's carrying of the credentialdevice in a readily accessible and/or readily visible manner. Theaccessory may be attachable to the clothing or body of the user, and thecredential device may be attachable to the accessory, via clasping,pinning, connecting, adhering, hanging, or any other suitable form ofattachment. The accessory also comprises a first tracking device, suchas a beacon device. As a result, there are two tracking devicesassociated with the individual.

While visitors to a secure facility or location may be issued acredential device for the length of their visit, employees or others whorequire repeated access to the secure facility or location may also beissued a credential device. Credential devices intended for long-termuse may, in some embodiments, be of a more substantial construction thancredential devices intended for visitor use. For example, smart cardsand mobile devices may be used as credential devices by long-term usersof a secure facility or location. In some embodiments, credentialdevices issued to visitors and to long-term users may be substantiallyidentical, and other aspects of the access control system with which thecredential devices are used may be utilized to distinguish betweenvisitors and regular users of the protected resource. In someembodiments, credential devices owned or possessed by visitors oremployees may be used, provided they are able to communicate with theaccess control system.

According to some aspects of the present disclosure, the association ofa credential device and a specific user is known. When a beacon deviceis provided to the same user, for either a short or long term use, thebeacon device also may be associated with or registered with the usesuch that the access control system knows the two devices are associatedwith a single user. As a result, either device will identify thelocation of the user. Alternatively, the beacon device may not beassociated or registered with the user at the time it is provided. Inthis situation, the beacon device is broadcasting informationanonymously in the sense that the location of the beacon device isknown, but there is no user associated with the device. But when thecredential device, which is associated with the user, first communicateswith a reader and the access control system identifies the location ofthe user based upon the credential device, the access control systemwill then also be able to associate the beacon device with thecredential device and the user, based upon the location of the beacondevice and credential device being the same or nearly the same. The sameassociate process can successfully occur if the system knows the beacondevice is associated with a specific user, but the system does not knowthe identity of the user's credential device. Once the system identifiesthe two devices are in the same location and one of the devices isassociated with a user, the system may associate the second device withthe same user. Because of the precision location abilities of currenttechnology, accurate user associate may occur even if multiple beacondevices and multiple credential devices are near each other. If theidentification number associated with the devices changes over time, theprocess of re-association of multiple devices with a user must alsoperiodically occur.

According to aspects of the present disclosure, the access controlsystem may also increase or decrease a user's access authorizationdynamically based upon the associated credential and locationinformation. For example, if a beacon device is physically separatedfrom a credential device, authorizations for both devices may bedecreased or terminated. Similarly, if a credential device and beacondevice are detected at a location where the associated user is notauthorized, permissions may be down-graded or terminated, or theauthentication step may require additional levels of identificationand/or authorization be provided by the user. If the requestedadditional information is not provided or is not available to the user,access may be denied. Alternatively, the access control system couldelevate or increase the authorization associated with a user. Suchincreased or decreased authorizations may occur the next occasion eachdevice communicates with a reader. Optionally, if the user's credentialdevice is a legacy or technically unsophisticated device, such asutilizing a magnetic stripe bar code or photograph, the access controlsystem could require higher level identification (such as a PIV card)from the user prior to upgrading authorizations.

Any number of communication protocols may be employed by beacon devicesand credential devices employed herein, which may use the same ordifferent communication protocols. Examples of communications protocolscan include, but are in no way limited to, the protocol or protocolsassociated with near field communication (NFC), radio frequencyidentification (RFID) (e.g., operating at 125 kHz, 13.56 kHz, etc.),Bluetooth wireless communication, Bluetooth Low Energy (BLE), PersonalArea Network (PAN), Body Area Network (BAN), cellular communications,WiFi communications, and/or other wireless communications. The mostbasic credential devices may not have any transmission capability, butmay rather be designed to be scanned or otherwise read (e.g. by abarcode scanner or another laser scanner or an optical scanner).According to aspects of the present disclosure, if the beacon device andthe credential device utilize the same communication protocol, it isalso an available option to have the beacon and credential devicescommunicate with each other, and have one of the devices responsible forprimary communication with the access control system. Thus, it would befeasible that the Beacon device could query or check the signalemanating from the credential device and transmit such information tothe reader without the credential device having to transmit anything tothe reader directly. However, both devices may still communicate asneeded with the access control system.

The terms “memory,” “computer memory,” and “computer-readable medium,”as used herein, refer to any tangible data storage medium thatparticipates in providing instructions to a processor for execution.Such a medium may take many forms, including but not limited to,non-volatile media, volatile media, and transmission media. Non-volatilemedia includes, for example, NVRAM, or magnetic or optical disks.Volatile media includes dynamic memory, such as main memory. Commonforms of computer-readable media include, for example, a floppy disk, aflexible disk, hard disk, magnetic tape, or any other magnetic medium,magneto-optical medium, a CD-ROM, any other optical medium, punch cards,paper tape, any other physical medium with patterns of holes, a RAM, aPROM, and EPROM, a FLASH-EPROM, a solid state medium like a memory card,any other memory chip or cartridge, or any other medium from which acomputer can read instructions. When the computer-readable medium isconfigured as part of a database, it is to be understood that thedatabase may be any type of database, such as relational, hierarchical,object-oriented, and/or the like. Accordingly, the disclosure isconsidered to include a tangible storage medium or distribution mediumand prior art-recognized equivalents and successor media, in which thesoftware implementations of the present disclosure are stored.

The processors described herein may be, by way of example and notlimitation, one or more of Qualcomm® Snapdragon® 800 and 801, Qualcomm®Snapdragon® 610 and 615 with 4G LTE Integration and 64-bit computing,Apple® A7 processor with 64-bit architecture, Apple® M7 motioncoprocessors, Samsung® Exynos® series, the Intel® Core™ family ofprocessors, the Intel® Xeon® family of processors, the Intel® Atom™family of processors, the Intel Itanium® family of processors, Intel®Core® i5-4670K and i7-4770K 22 nm Haswell, Intel® Core® i5-3570K 22 nmIvy Bridge, the AMD® FX™ family of processors, AMD® FX-4300, FX-6300,and FX-8350 32 nm Vishera, AMD® Kaveri processors, Texas Instruments®Jacinto C6000™ automotive infotainment processors, Texas Instruments®OMAP™ automotive-grade mobile processors, ARM® Cortex™-M processors,ARM® Cortex-A and ARM926EJ-S™ processors, other industry-equivalentprocessors, and may perform computational functions using any known orfuture-developed standard, instruction set, libraries, and/orarchitecture.

The phrases “at least one”, “one or more”, and “and/or” are open-endedexpressions that are both conjunctive and disjunctive in operation. Forexample, each of the expressions “at least one of A, B and C”, “at leastone of A, B, or C”, “one or more of A, B, and C”, “one or more of A, B,or C” and “A, B, and/or C” means A alone, B alone, C alone, A and Btogether, A and C together, B and C together, or A, B and C together.When each one of A, B, and C in the above expressions refers to anelement, such as X, Y, and Z, or class of elements, such as X₁-X_(n),Y₁-Y_(m), and Z₁-Z_(o), the phrase is intended to refer to a singleelement selected from X, Y, and Z, a combination of elements selectedfrom the same class (e.g., X₁ and X₂) as well as a combination ofelements selected from two or more classes (e.g., Y₁ and Z_(o)).

The term “a” or “an” entity refers to one or more of that entity. Assuch, the terms “a”, “an”, “one or more” and “at least one” can be usedinterchangeably herein. It is also to be noted that the terms“comprising”, “including”, and “having” can be used interchangeably.

The terms “determine,” “calculate,” and “compute,” and variationsthereof, as used herein, are used interchangeably and include any typeof methodology, process, mathematical operation, or technique.

The term “means” as used herein shall be given its broadest possibleinterpretation in accordance with 35 U.S.C., Section 112, Paragraph (f).Accordingly, a claim incorporating the term “means” shall cover allstructures, materials, or acts set forth herein, and all of theequivalents thereof. Further, the structures, materials or acts and theequivalents thereof shall include all those described in the summary ofthe invention, brief description of the drawings, detailed description,abstract, and claims themselves.

The term “module” as used herein refers to any known or later developedsoftware or firmware that, when executed by a processor, is capable ofperforming the functionality associated with that element.

It should be understood that every maximum numerical limitation giventhroughout this disclosure is deemed to include each and every lowernumerical limitation as an alternative, as if such lower numericallimitations were expressly written herein. Every minimum numericallimitation given throughout this disclosure is deemed to include eachand every higher numerical limitation as an alternative, as if suchhigher numerical limitations were expressly written herein. Everynumerical range given throughout this disclosure is deemed to includeeach and every narrower numerical range that falls within such broadernumerical range, as if such narrower numerical ranges were all expresslywritten herein.

The preceding is a simplified summary of the disclosure to provide anunderstanding of some aspects of the disclosure. This summary is neitheran extensive nor exhaustive overview of the disclosure and its variousaspects, embodiments, and configurations. It is intended neither toidentify key or critical elements of the disclosure nor to delineate thescope of the disclosure but to present selected concepts of thedisclosure in a simplified form as an introduction to the more detaileddescription presented below. As will be appreciated, other aspects,embodiments, and configurations of the disclosure are possibleutilizing, alone or in combination, one or more of the features setforth above or described in detail below.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings are incorporated into and form a part of thespecification to illustrate several examples of the present disclosure.These drawings, together with the description, explain the principles ofthe disclosure. The drawings simply illustrate preferred and alternativeexamples of how the disclosure can be made and used and are not to beconstrued as limiting the disclosure to only the illustrated anddescribed examples. Further features and advantages will become apparentfrom the following, more detailed description of the various aspects,embodiments, and configurations of the disclosure, as illustrated by thedrawings referenced below.

FIG. 1A is a diagram depicting an access control system in accordancewith embodiments of the present disclosure;

FIG. 1B is a diagram depicting aspects of an access control systemaccording to at least one embodiment of the present disclosure;

FIG. 1C is a diagram depicting aspects of an access control systemaccording to at least another embodiment of the present disclosure;

FIG. 2 is a block diagram depicting a credential device according to atleast one embodiment of the present disclosure;

FIG. 3 is a block diagram depicting an access control server accordingto at least one embodiment of the present disclosure;

FIG. 4 is a block diagram depicting a beacon device according to atleast one embodiment of the present disclosure;

FIG. 5 is a block diagram depicting a reader according to at least oneembodiment of the present disclosure;

FIG. 6 is a flowchart depicting a method according to at least oneembodiment of the present disclosure;

FIG. 7 is a flowchart depicting another method according to at least oneembodiment of the present disclosure; and

FIG. 8 is a block diagram depicting another beacon device according toat least one embodiment of the present disclosure.

DETAILED DESCRIPTION

An access control system according to one embodiment of the presentdisclosure comprises a tracking device, such as a credential device,configured for removable attachment to another tracking device, such asa beacon device, the credential device comprising an antenna thatenables wireless communications with one or more readers using a secondcommunication protocol that is different from a first communicationprotocol used by the beacon device to communicate with the one or morereaders; and an access server configured to receive communications fromthe one or more readers, associate the credential device and the beacondevice in a memory, and determine, based on the received communications,a location of the beacon device and the credential device.

The access server may comprise a communication interface that enablesthe access server to receive the communications from the one or morereaders. The first communication protocol may comprise at least one ofBluetooth, Bluetooth Low Energy (BLE), and WiFi. The secondcommunication protocol may utilize an inductive coupling between theantenna and a reader antenna of the one or more readers. The one or morereaders may receive a communication from the beacon device at a firsttime and the credential device may communicate with the one or morereaders at a second time different from the first time. The first timemay precede the second time.

The communication range of the first communication protocol may begreater than a communication range of the second communication protocol,or vice versa. Alternatively, the communication range of the first andsecond communication protocols may be the same. One of the first andsecond communications protocols may be capable of communicating at agreater strength, or over a greater distance, than the other.Additionally, the beacon device may be chargeable by motion of aretractable member. The one or more readers may receive a beaconidentifier from the beacon device via the first communication protocol.In some embodiments, two or more readers may receive a communicationfrom the beacon device, and a position of the beacon device may bedetermined, at least in part, based on triangulation between a first andsecond of the two or more readers that receive the communication fromthe beacon device. The credential device may be configured tocommunicate wirelessly, or it may require physical presentation to areader for contact or optical assessment in order to determine itsidentification. At least in the latter situation, the location of thereader may be used as the location of the credential device. The accessserver may comprise an asset tracking module to determine a location ofthe beacon device and the credential device. The access server may befurther configured to change an access authorization of the credentialdevice based upon the location of the beacon device and the credentialdevice. The access server may also comprise a validation engineconfigured to verify that information received by the one or morereaders and included in the communications from the one or more readersoriginated from the beacon device, based on pseudo-random sequences ofdata included in the information.

According to another embodiment of the present disclosure, a method oftracking assets in an access control system, comprises receiving, from afirst reader in the access control system, a first communicationcomprising information about a first signal transmitted by a beacondevice using a first communication protocol; receiving, from the firstreader, a second communication comprising information about a secondsignal transmitted by a credential device to the first reader using asecond communication protocol; associating, based on the first andsecond communications, the beacon device and the credential device; anddetermining, with a processor, a location of the beacon device based onat least one of the information about the first signal and theinformation about the second signal. The first communication protocolmay be Bluetooth, BLE, or WiFi. The second communication protocol mayutilize inductive coupling. For example, if the identify of one of thebeacon device and the credential device is previously known to theaccess control system and the other of the beacon device and credentialdevice is unknown or anonymous as tracked by the access control system,the step of associating the beacon device with the credential devicewill also enable identification of the unknown device with the knowndevice. Similarly, if both devices are unknown or anonymous to theaccess control system, embodiments of the present disclosure will allowassociation of the two anonymous devices. Alternatively, instead ofreceiving the second communication from the credential device at thefirst reader, the second communication from the credential device may bereceived at a second reader located generally proximate the firstreader. For example, the first reader may be configured to communicatewith the beacon device over a first distance, and the second reader maybe configured to communicate with the credential device over a seconddistance, where the first and second distances are different due to thenature of the readers. The second reader may utilize a communicationprotocol that operates wirelessly at 125 KHz and the first reader mayutilize a Bluetooth or WiFi communication protocol. The locations of thefirst and second readers being known, the step of associating the beacondevice and the credential device may reliably occur.

The method may further comprise receiving, from a second reader, a thirdcommunication comprising additional information about the first signaltransmitted by the beacon device, and the location determining maycomprise triangulating a position of the beacon device based on theinformation about the first signal in the first communication and theadditional information about the first signal in the thirdcommunication. The information about the first signal in the firstcommunication and the additional information about the first signal inthe third communication may each comprise signal strength information,and wherein the location determining may further comprise utilizing thesignal strength information to determine a first distance between thebeacon device and the first reader and a second distance between thebeacon device and the second reader. The method may also furthercomprise determining, with the processor, a location of the credentialdevice based on the information about the second signal.

According to another embodiment of the present disclosure, an accessserver comprises a processor, a communication interface, and a memory.The memory stores information associating an individual and a credentialdevice and associating the credential device and a beacon device. Thememory further stores instructions for execution by the processor that,when executed by the processor, cause the processor to determine aposition of the beacon device based on first information received viathe communication interface from a first reader and second informationreceived via the communication interface from a second reader, the firstand second information comprising signal strength information about asignal received by the first reader and the second reader from thebeacon device. Determining a position of the beacon device may utilizeat least one of Received Signal Strength Indication (RSSI), Time ofFlight (ToF), Angle of Arrival (AoA), phase detection, and echodetection.

Also, the memory may store additional instructions for execution by theprocessor that, when executed by the processor, further cause theprocessor to determine a position of the credential device based onthird information received via the communication interface from thefirst reader, the second reader, or a third reader, the thirdinformation evidencing a communication between the credential device andthe first reader, the second reader, or the third reader.

Before any embodiments of the disclosure are explained in greaterdetail, it is to be understood that the disclosure is not limited in itsapplication to the details of construction and the arrangement ofcomponents set forth in the following description or illustrated in thefollowing drawings. The disclosure is capable of other embodiments andof being practiced or of being carried out in various ways. Also, it isto be understood that the phraseology and terminology used herein is forthe purpose of description and should not be regarded as limiting. Theuse of “including,” “comprising,” or “having” and variations thereofherein is meant to encompass the items listed thereafter and equivalentsthereof as well as additional items.

The systems and methods described herein may provide many potentialadvantages over prior systems. For instance, the systems and methodsdescribed herein may be compatible with existing inductive/RF/125 kHzaccess control systems and even with paper printed visitor badges.Additionally, the user does not feel that he or she is carrying multipledevices, because a credential device may be held or secured using abeacon device. Furthermore, in embodiments where the beacon deviceutilizes Bluetooth, BLE, or WiFi, costs are minimized due to the alreadylarge scale adoption of Bluetooth, BLE, and WiFi devices. Further still,in embodiments where the beacon device uses BLE for communicating withthe readers of an access control system, there is a less frequent needto recharge the beacon device due to advantages of BLE low powerconsumption.

In operation, there are other advantages to tracking a location of abeacon device as well as tracking information for the credential deviceassociated with and/or being held by the beacon device. In particular, abeacon device can be assigned to or implemented to carry any number ofcredential devices. When the beacon device initially enters an accesscontrol system having a plurality of readers, the association betweenthe beacon device and the credential device being held by the beacondevice may not be known to the access control system. However, as thebeacon device and the associated credential device travel around theaccess control system, both devices will communicate with (or otherwiseprovide information to) various readers at different intervals,depending upon the communication protocols/channels used by the beacondevice and the associated credential device. The location informationand timing will enable association of the two devices by the accesscontrol system. Further still, if one of the beacon device and thecredential device is previously known to be associated with a specificindividual or user and the other of the beacon device and credentialdevice is unassociated with a user or anonymous as tracked by the accesscontrol system, the step of associating the beacon device with thecredential device will not only enable association of the two devices,but will also enable association of the user with the previouslyunassociated device. As described above, these communications may beused to establish an association between the beacon device and thecredential device.

In some embodiments, the beacon device may communicate with a readerusing, for example, BLE (e.g., transmit a BLE broadcast identifier,another beacon identifier, or another identifier) at a first time. Thecredential device being held by the beacon device may communicate withthe reader using the same communication protocol as the beacon device,or it may communicate with the reader using, for example, 125 kHz or13.56 MHz inductive communications (e.g., a traditional RF/inductivecommunication channel) when the credential device being held is placedwithin a very close proximity (e.g., less than 0.5 meters) of thereader. In embodiments where the beacon device uses a BLE communicationprotocol and the credential device uses an inductive communicationchannel, because the communication range of BLE is greater than that ofinductive communication channels, the credential device will communicatewith the same reader at a second time that is different than, and likelyafter, the first time. Once a reader has communicated with both a beacondevice and a credential device being held by the beacon device, theinformation from both communications can be processed by the reader(s)and/or passed to a central host (e.g., a control panel, an accessserver, or another computing device) such that an association betweenthe beacon device and the credential device being held can be positivelymade by the access control system. With this association, the locationof the credential device being held can be surmised by tracking thelocation of the beacon device (which has a longer communication range).Conversely, the precise location of a beacon device can be determinedbased on the shorter communication range of the credential device andthe association between the beacon device and the credential device. Ifthe credential device and the beacon device use the same communicationprotocol or have essentially the same read range, the communicationbetween the credential device and a reader and the beacon device and areader may be simultaneous or near simultaneous, but one may still betracked relative to the other.

When the beacon device is brought back to a front desk or otherappropriate location for return (e.g., when it is no longer needed orbeing used, such as when a visitor or other individual checks out of asecure facility), then the association between the beacon device and thecredential device being held by the beacon device may be erased orotherwise forgotten. The process of associating a beacon device and acredential device may begin anew when the beacon device is brought backout into the access control system (e.g. after being issued to anotherindividual and holding another credential device) and beginscommunicating with readers again.

In some embodiments, because the beacon device may be communicating atlonger distances than the credential device being held by the beacondevice, the likelihood of the beacon device simultaneously communicatingwith multiple readers is higher than the likelihood of the credentialdevice being held simultaneously communicating with multiple readers.Thus, RSSI may be used to triangulate a more precise location of thebeacon device relative to the readers, even if the credential devicebeing held is not in communication with even one reader. Other forms oftriangulation and position determination can be used for the beacondevice, such as AoA, ToF, phase detection, echo detection, and the like.When a beacon device is positively associated with a credential devicebeing held, then the position of one asset can be assumed to be therelative position of the other, and the position of both devices can beassumed to be the position of the user of the devices. In this way,tracking of people and assets carrying beacon devices and credentialdevices being held using a communication network of readers can helpfacilitate location determinations for the people and assets. Whileassociations can be inferred by tracking the communication history ofboth the beacon device and the credential device being held, it may alsobe possible to have a security administrator (e.g., an issuer of thecredential device and/or of the beacon device) log the association of abeacon device and a credential device being held directly into theaccess control system. Thus, when the security administrator inputs thebeacon device identifier/number and the associated identifier/number ofthe credential device being held thereby, the access control system canimmediately begin inferring the location of one component when thelocation of the other component becomes known to the access controlsystem, e.g. by virtue of communications with a reader.

According to aspects of the present disclosure, the reader(s) may havethe capability of identifying, associating and permitting access tocontrolled areas by multiple devices based upon information provided bythe beacon device(s), the credential device(s) and location information.The location information may be provided by the beacon and credentialdevices or the reader(s), or a combination of all of them.Alternatively, the reader(s) may forward information received frommultiple beacon devices and credential devices to a remote access serveror control panel for analysis and decision making. Optionally, if eitheror both the beacon device and the credential device are mobile devices,applications may be resident on these devices that provide redundantand/or additional information which may also be forwarded to the remoteaccess server or control panel and used in making access decisions.

FIG. 1A is a diagram depicting an access control system 100 for trackinga user 102 and for authenticating a user 102 using a credential device110, in which embodiments of the present disclosure may be implemented.In one embodiment, the access control system 100 comprises a pluralityof readers 112 and at least one beacon device 108. The readers 112 mayinclude an access data memory 116. The access data memory 116 may beconfigured to store location information, identification information,rules, program instructions, and/or other data associated with or usefulfor performing access control and asset tracking operations. In someembodiments, the reader 112 may be configured to communicate with anaccess data memory 116 across a communication network 128. The accessdata memory 116 may be located remotely, locally, and/or locally andremotely, from the reader 112.

The credential device 110 may be configured, in some embodiments, tocommunicate with a reader 112 across one or more wireless communicationconnections. These one or more wireless communication connections caninclude communications via at least one of conventional radio protocols,proximity-based wireless communication protocols, Bluetooth, BLE,infrared, audible, NFC, RF, and other wireless communication networksand/or protocols. Although in embodiments described in detail herein thecredential device 110 utilizes shorter-range wireless communicationprotocols such as NFC and RFID, the scope of the present disclosure isnot so limited. Other communication protocols having different rangesare within the scope of the present disclosure. In some cases,communications between the credential device 110 and the reader 112 maybe established automatically when the credential device 110 enters anactive zone of an interrogating reader 112. In one embodiment, theactive zone of the reader 112 may be defined as a three-dimensionalspace where the intensity of RF signals emitted by the reader 112exceeds a threshold of sensitivity of the credential device 110 and/orwhere the intensity of RF signals emitted by the credential device 110exceeds a threshold of sensitivity of the reader 112.

As noted above, the credential device 110 in some embodiments may beunpowered and may lack any electronic communication capability. In suchembodiments, information may be read or otherwise extracted from thecredential device 110 by a reader 112. For example, the reader 112 maycomprise a barcode scanner, and the reader 112 may obtain credentialsfrom a credential device 110 by scanning a barcode printed thereon. Asanother example, the reader 112 may comprise a camera or other imagescanner, and may obtain credentials from a credential device 110 bytaking and analyzing a picture of the credential device 110 orforwarding to server. As still another example, the reader 112 maycomprise a magnetic stripe reader, and may obtain credentials from acredential device 110 when a magnetic stripe of the credential device110 is swiped through the magnetic stripe reader.

The beacon device 108 may be configured to communicate with (or simplyto transmit or broadcast information to) one or more readers 112 acrossone or more wireless communication channels. These channels may utilizeBLE, for example, or Bluetooth, WiFi/IEEE 802.11N, or any other protocolthat allows the beacon device 108 to send information to one or morereaders 112 from beyond near-field range (e.g. from distances as greatas fifty fee or more). The information transmitted by the beacon device108 may comprise a BLE broadcast ID, a pseudonymous identifier, or anyother unique identifier (referred to collectively herein as a “beaconID”). The information transmitted by the beacon device 108 may alsocomprise, in some embodiments, a tracker ID or other identifier of acredential device 110 associated with the beacon device 108. The beacondevice 108 may be incorporated into or provided in the form of a lanyard(as shown in FIG. 1A), badge holder, badge reel, or other accessory forholding the credential device 110 and/or attaching the credential device110 to the clothing or body of the user 102. The beacon device 108automatically transmits or broadcasts the information described above atperiodic intervals, which transmissions or broadcasts may be received byone or more readers 112. The one or more readers 112 may in turn reportthe transmissions or broadcasts to one or more other readers 112 and/orto the access server 120. The transmissions or broadcasts may be used toidentify the beacon device 108 (and, in some embodiments, the credentialdevice 110 and/or user 102 associated therewith) and to determine theposition of, or a set of possible positions of, the beacon device 108(and thus of the credential device 110 and/or of the user 102).

In some embodiments, one or more of the components of the access controlsystem 100 are configured to communicate across a communication network128. The communication network 128 may utilize at least one ofconventional radio networks, wireless communication networks, Zig-Bee,GSM, CDMA, WiFi, and/or other communication networks and/or protocols asprovided or described herein.

Also in some embodiments, authentication may be required between thecredential device 110 and the reader 112 before further communicationsbetween the credential device 110 and the reader 112 are enabled. Thefurther communications may include communications in which accesscontrol information (e.g., keys, codes, credentials, etc.) or sensitiveinformation is shared. In some embodiments, the authentication may beprovided via one-way or mutual authentication. Examples ofauthentication may include, but are not limited to, simpleauthentication based on site codes, trusted data formats, sharedsecrets, and/or the like. As can be appreciated, access controlinformation may be sensitive and may therefore require more involvedvalidation via, for example, an encrypted exchange of access controlinformation.

In some embodiments, the reader 112 may be configured to request accesscontrol information (e.g. credentials) from the credential device 110.This access control information may be used to validate the credentialdevice 110 to the reader 112. Validation may include referring toinformation stored in access data memory 118 or some other memoryassociated with the reader 112. Typically, a reader 112 is associatedwith a particular physical or logical asset (e.g., a door protectingaccess to a secure room, a computer lock protecting sensitiveinformation or computer files, a lock on a safe, and the like). In oneembodiment, the credential device 110 may be validated via one or morecomponents of the access control system 100. Once the credential device110 is authenticated, credential information associated with thecredential device 110 may be validated. During this process, the reader112 may generate signals facilitating execution of the results ofinterrogating the credential device 110 (e.g., signals thatengage/disengage a locking mechanism, allow/disallow movement of amonitored article, temporarily disable the reader 112, activate an alarmsystem, provide access to a computer system, provide access to aparticular document, and the like). Alternatively, the access server 120or some other system backend component may generate such signals.

The access server 120 may include a processor, a memory, and one or moreinputs/outputs. The memory of the access server 120 may be used inconnection with the execution of application programming or instructionsby the processor, and for the temporary or long term storage of programinstructions and/or data. As examples, the memory may comprise RAM,DRAM, SDRAM, or other solid state memory. Additionally or alternatively,the access server 120 may communicate with an access data memory 118.Like the memory of the access server 120, the access data memory 118 maycomprise a solid state memory or device. The access data memory 118 maycomprise a hard disk drive or other random access memory. The accessserver 120 may receive information from the readers 112 via thecommunication network 128, and may utilize that information to makeposition determinations. Alternatively, the information received fromthe readers 112 may comprise position determinations, which the accessserver 120 may cause to be stored in a memory thereof or in the accessdata memory 118. In some embodiments, the access server 120 may compriseone or more user interfaces, via which an access control systemadministrator can interact with (including by inputting information intoand retrieving information from) the access server 120.

In some embodiments, the reader 112 may be configured to communicatewith one or more devices across a communication network 128. Forexample, the reader 112 may communicate with a credential device 110across the communication network 128. Among other things, thiscommunication can allow for back-end authentication and/or providenotifications from the reader 112 to the credential device 110. Thecommunication network 128 may comprise any type of known communicationmedium or collection of communication media and may use any type ofprotocols to transport messages between endpoints. The communicationnetwork 128 may include wired and/or wireless communicationtechnologies. The Internet is an example of the communication network128 that constitutes an Internet Protocol (IP) network consisting ofmany computers, computing networks, and other computing devices locatedall over the world, which are connected through many telephone systemsand other means. Other examples of the communication network 128include, without limitation, a standard Plain Old Telephone System(POTS), an Integrated Services Digital Network (ISDN), the PublicSwitched Telephone Network (PSTN), a Local Area Network (LAN), a WideArea Network (WAN), a Session Initiation Protocol (SIP) network, a Voiceover Internet Protocol (VoIP) network, a cellular network, RS-232,similar networks used in access control systems between readers andcontrol panels or access servers, and any other type of packet-switchedor circuit-switched network known in the art. In addition, it can beappreciated that the communication network 128 need not be limited toany one network type, and instead may be comprised of a number ofdifferent networks and/or network types. Moreover, the communicationnetwork 128 may comprise a number of different communication media suchas coaxial cable, copper cable/wire, fiber-optic cable, antennas fortransmitting/receiving wireless messages, and combinations thereof.

In some embodiments, the access control system 100 may include acomputing device 124, which may be used by an administrator of theaccess control system 100 to access and interface with the access server120 and/or one or more readers 112. A computing device 124 may include,but is not limited to, a mobile phone, smartphone, smart watch, laptopor other mobile computer, desktop computer, tablet, mobile computer, orother device comprising a processor, a memory, and a communicationinterface (which may be, for example, a network interface) forcommunicating with one or both of the access server 120 and a reader 112whether directly or via the communication network 128. In oneembodiment, the computing device 124 may be used to receivecommunications sent from the beacon device 108 or the credential device110 via the reader 112 or intended for the reader 112. In anotherembodiment, the computing device 124 may be configured to communicatedirectly with one or both of a beacon device 108 and a credential device110.

FIG. 1B shows aspects of the system 100 in greater detail. Inparticular, a lanyard 104 comprises a beacon device 108 and a credentialdevice 110. A user 102 may place the lanyard around his or her neck sothat the credential device 110 is visible and so that he or she is notaccidentally separated from the credential device 110 or the beacondevice 108. The credential device 110, as depicted in FIG. 1B, comprisesa photograph 222 of the user 102 as well as a bar code 226. Thephotograph 222 and the bar code 226 may be printed on disposable paperor cardstock. In other embodiments, the credential device 110 maycomprise a smartcard or other device that has an internal memory forstoring credentials and/or other information electronically. Suchcredential devices may or may not have information printed on an outersurface thereof.

The beacon device 108 is configured to communicate wirelessly with eachof the readers 212A-212C utilizing BLE. The beacon device 108 cantherefore communicate with each of the readers 212 from distances asgreat as fifty feet or more. The readers 212 (or an access server 120with which the readers 212 are in communication) may use RSSI todetermine a distance (which may be an approximate distance) between eachreader 212 and the beacon device 108. This information, together withknown information about the relative position of the readers 212 withrespect to each other, may be used by one or more readers 212 and/or bythe access server 120 to triangulate a position of the beacon device108.

As persons of ordinary skill in the art will appreciate based on theforegoing disclosure, at least an approximate position or location of abeacon device 108 may be determined even if the beacon device 108 isunable to communicate with three readers 212. For example, if the beacondevice 108 is only able to communicate with one reader 212, then suchinformation can be used to confirm that the beacon device 108 is atleast within communication range of the one reader 212. Additionally,RSSI may be used to determine a distance of the beacon device 108 fromthe one reader 212. Such information may be compared against a digitalor electronic map of the area surrounding the one reader 212 that isstored in a memory accessible to a reader 212, the access server 120, orthe computing device 124 to further narrow the potential positions ofthe beacon device 108 (e.g. by ruling out potential positions that areinaccessible, such as inside walls).

If, however, the beacon device 108 is able to communicate with tworeaders 212, then the potential position of the beacon device 108 islimited to that area where the communication ranges of the two readers212 overlap. Here again, RSSI may be used to determine the distance ofthe beacon device 108 from each of the two readers 212, and theavailable position information may be compared to a digital orelectronic map of the area surrounding the two readers so as to betterascertain the actual position of the beacon device 108.

All of the foregoing communications, determinations, and comparisons maybe performed automatically, based on communications between or among thebeacon device 108, the readers 212, and in some embodiments, the accessserver 120.

The readers 212 of FIG. 1B have the same or substantially similarcomponents and functionality as the readers 112 of FIG. 1A, and alsocomprise optical scanners 214A-214C. The optical scanners 214A-214C maybe used to scan the barcode 226 (or other visibly differentiatingfeature, such as a QR code) or the picture 222 of the credential device110. Based on the scanned barcode 226 or picture 222, the readers 212can determine whether or not to grant access to the user 102. The user102 may be required, for example, to scan the barcode 226 or picture 222with an optical scanner 214 of a reader 212 in order to pass from onearea of a secure facility to another (e.g., from a hallway into a room,from one room into another room, from a room into a hallway). In someembodiments, an access server 120 makes the determination of whether ornot to grant access to the user 102 based on information received fromthe readers 212, and transmits that determination to the readers 212 forimplementation by the readers 212. In addition to making an accesscontrol decision, when a user 102 presents the credential device 110 toa reader 212 and the reader 212 scans the barcode 226 or picture 222,the reader 212 (or the access server 120) may automatically determinethat the credential device 110—and thus the beacon device 108 and theuser 102) is within optical scanning range of the reader 212.

This information may be used not only to determine the present positionof the beacon device 108, but also to eliminate, within a certain timeperiod after the barcode 126 is scanned, potential positions of thebeacon device 108 (e.g. when there is uncertainty regarding the positionof the beacon device 108 because the beacon device 108 is not incommunication with at least three readers 212). For example, ifavailable RSSI, ToF, AoA, phase detection, and/or echo detectioninformation indicates that the beacon device 108 must be in one of twopositions—the first of which is readily accessible from the location ofthe reader 212 at which the credential device 110 corresponding to thebeacon device 108 was recently scanned, and the second of which isinaccessible (at least during the time that has passed since thescanning of the credential device 110) from the same location—then thesecond position may be ruled out as a possible location of thecredential device 110, the beacon device 108, and the user 102.

FIG. 1C depicts a beacon device 308 in the form of a badge holder,configured to securely hold the credential device 310. The credentialdevice 310 is a smartcard comprising circuitry that enables it to storecredentials electronically, which credentials can be read by ortransmitted to the readers 112A-112C via a wireless communicationchannel. As with the beacon device 108, the beacon device 308 utilizesBLE or another beyond-near-field wireless communication protocol forperiodic broadcasts. The credential device 310, on the other hand, usesa range-limited wireless communication protocol (e.g. RFID, NFC) forcommunicating credentials and/or other information to the readers 112.Thus, while the readers 212 illustrated in FIG. 1B included opticalscanners 214 to scan the barcode 226 or the picture 222 of thecredential device 110, the readers 112 communicate wirelessly with thecredential device 310. In all other respects, the components depicted inFIG. 1C interact in the same or in a substantially similar manner as thecomponents depicted in FIG. 1B, with the readers 112 and/or an accessserver 120 and/or a computing device 124 making access control decisionsbased upon credentials received by the readers 112 from the credentialdevice 310, and the readers 112 and/or the access server 120 and/or thecomputing device 124 also making position determinations based oncommunications received at the readers 112 from one or both of thebeacon device 308 and the credential device 310.

FIG. 2 shows a block diagram depicting a credential device 110 inaccordance with some embodiments of the present disclosure. Although theillustrated credential device 110 comprises a processor in addition tovarious other components, credential devices 110 according to otherembodiments of the present disclosure may not include a processor, andmay even be a piece of paper or other material with information (e.g.text, a barcode, an image) provided on a surface thereof.

The credential device 110 of FIG. 2 may be provided with a secure area208 that stores one or a plurality of access credentials and/or othersensitive information. The credentials and/or other sensitiveinformation may be communicated to a reader 112 in connection with aholder of the credential device 110 attempting to gain access to anasset protected by the reader 112. As an example, the credential device110 may be presented to the reader 112 by a user 102.

If the credential device 110 is configured to communicate credentialsand/or other information stored therein to a reader 112 using an NFCprotocol, then the reader 112 and credential device 110 may have theirinterfaces/antennas inductively coupled to one another, at which pointthe reader 112 and/or credential device 110 will authenticate ormutually authenticate with one another. Following authentication, thereader 112 may request credentials from the credential device 110, orthe credential device 110 may offer the credentials stored therein tothe reader 112. Upon receiving the credentials from the credentialdevice 110, the reader 112 may analyze the credentials and determinewhether the credentials are valid and, if so, allow the holder/user ofthe credential device 110 access to the asset protected by the reader112. It should be appreciated that the credential device 110 mayalternatively or additionally be configured to analyze informationreceived from the reader 112 in connection with making an access controldecision and/or in connection with making a decision whether or not toprovide credentials to the reader 112. Examples of technologies that canbe used by the credential device 110 to make an access control decisionfor itself are further described in U.S. Pat. No. 8,074,271 to Davis etal. and U.S. Pat. No. 7,706,778 to Lowe, both of which are herebyincorporated herein by reference in their entirety.

The credential device 110 of FIG. 2 is shown to include memory 204, aprocessor 216, one or more drivers 220, a reader interface 228, and apower module 224.

The memory 204 may correspond to any type of non-transitorycomputer-readable medium. In some embodiments, the memory 204 maycomprise volatile or non-volatile memory and a controller for the same.Non-limiting examples of memory 204 that may be utilized in thecredential device 110 include RAM, ROM, buffer memory, flash memory,solid-state memory, or variants thereof. Whether in the secure area 208or not, the memory 204 may store, in some embodiments, a tracker ID ofthe credential device 110, information about a beacon device 108associated with the credential device 110, information about a user 102associated with the credential device 110, and/or instructions forexecution by the processor 216.

The processor 216 may correspond to one or many microprocessors that arecontained within the housing of the credential device 110 with thememory 204. In some embodiments, the processor 216 incorporates thefunctions of a Central Processing Unit (CPU) on a single IntegratedCircuit (IC) or a few IC chips. The processor 216 may be a multipurpose,programmable device that accepts digital data as input, processes thedigital data according to instructions stored in its internal memory,and provides results as output. The processor 216 implements sequentialdigital logic as it has internal memory. As with most knownmicroprocessors, the processor 216 may operate on numbers and symbolsrepresented in the binary numeral system.

The driver(s) 220 may correspond to hardware, software, and/orcontrollers that provide specific instructions to hardware components ofthe credential device 110, thereby facilitating their operation. Forinstance, the reader interface 228 may have a dedicated driver 220 thatprovides appropriate control signals to effect its operation. Thedriver(s) 220 may also comprise the software or logic circuits thatensure the various hardware components are controlled appropriately andin accordance with desired protocols. For instance, the driver 220 ofthe reader interface 228 may be adapted to ensure that the readerinterface 228 follows the appropriate proximity-based protocols (e.g.,NFC, RFID, Infrared, Ultrasonic, etc.) such that the reader interface228 can exchange communications with a reader 112. As can beappreciated, the driver(s) 220 may also be configured to control wiredhardware components (e.g., a USB driver, an Ethernet driver, etc.).

The reader interface 228 may correspond to the hardware that facilitatescommunications with the credential device 110. The reader interface 228may include an RFID interface (e.g., antenna and associated circuitry),an NFC interface (e.g., an antenna and associated circuitry), anInfrared interface (e.g., LED, photodiode, and associated circuitry),and/or an Ultrasonic interface (e.g., speaker, microphone, andassociated circuitry). In some embodiments, the reader interface 228 isspecifically provided to facilitate proximity-based communications witha reader 112 via a communication channel or multiple communicationchannels. Also in some embodiments, the reader interface 228 mayfacilitate communications with a reader using any of the protocolsdescribed herein for use by a beacon device 108 for communicating with areader 112.

In embodiments of the credential device 110 that include a power module224, the power module 224 may include a built-in power supply (e.g.,battery) and/or a power converter or generator that generates electricalenergy from another form of energy. In some embodiments, the powermodule 224 may also include some implementation of surge protectioncircuitry to protect the components of the credential device 110 frompower surges.

Referring now to FIG. 3, the access server 120, which may or may not bein wired or wireless communication with one or more of the reader(s)112, includes a memory 304, a processor 316, a communication interface320, one or more driver(s) 324, a power source 328, and a user interface332.

The memory 304 of the access server 120 may correspond to any type ofnon-transitory computer-readable medium. In some embodiments, the memory304 may comprise volatile or non-volatile memory and a controller forthe same. Non-limiting examples of memory 304 that may be utilized inthe access server 120 include RAM, DRAM, SDRAM, ROM, buffer memory,flash memory, solid-state memory, or variants thereof. In someembodiments, the memory 304 may be or comprise a hard disk.

The memory 304 may be used in connection with the execution ofapplication programming or instructions by the processor 316. Forexample, the memory 304 may store instructions for execution by theprocessor 316. The memory 304 may also be used, for example, for thetemporary or long term storage of data, including, for example,historical configuration information, historical credential information,and one or more metrics regarding the use and/or functioning of one ormore readers 112.

The memory 304 stores information relevant to the tracking of assetsutilizing the access control system 100 and the administration of theaccess control system 100, such as asset tracking module 308 and/orcredential device information 316. The asset tracking module 308 maycomprise instructions for calculating or otherwise determining aposition or a set of possible positions of a beacon device 108. Forexample, the access control module 308 may comprise instructions forapplying techniques such as RSSI, triangulation, phase detection, andecho detection to determine a position or a set of possible positions ofa beacon device 108. Additionally, the access control module 308 maycomprise instructions for comparing a first position determination (ordetermination of a set of possible positions) based on a firsttransmission from the beacon device 108 with a second positiondetermination (or determination of a set of possible positions) based ona second transmission of the beacon device 108, and for generating a“track” of the beacon device 108 (e.g. a likely path of the beacondevice 108 over time based on periodic position determinations and, insome embodiments, a digital or electronic map of the facility secured bythe access control system) and/or eliminating one or more possiblepositions from the first and second sets of possible positions (e.g.,those positions that the beacon device could not logically occupy at thefirst and second times). The access control module 308 may furthercomprise instructions for comparing a position determination based on aninteraction of a reader 112 with a credential device 110 at a first timewith a determination of a set of possible positions based on atransmission from the beacon device 108 corresponding to the credentialdevice 110 at a second time, and for eliminating one or more possiblepositions from the set of possible positions (e.g. those possiblepositions that the beacon device 108 could not logically occupy giventhe location of the reader 112 that interacted with the credentialdevice 110 and the amount of time that passed between the first time andthe second time).

The credential device information 312 may comprise information about oneor more currently authorized credential devices 110. Such informationmay include, for example, information about one or more authorizedcredentials that are linked with or have been provided to eachcredential device 110. Such information may also include, for example,identification or descriptive information about each credential device110, information about which credential device 110 is associated withwhich beacon device 108, and/or information about which individual isassociated with which credential device 110.

The communication interface 320 may correspond to the hardware thatfacilitates communications with one or more of the reader(s) 112 and/orthe computing device 124. The communication interface 320 may includeone or more of a Bluetooth interface (e.g., antenna and associatedcircuitry), a Wi-Fi/802.11N interface (e.g., an antenna and associatedcircuitry), an NFC interface (e.g., an antenna and associatedcircuitry), an Infrared interface (e.g., LED, photodiode, and associatedcircuitry), an Ultrasonic interface (e.g., speaker, microphone, andassociated circuitry), or any other suitable interface for enablingcommunications with the readers 112 and/or the computing device 124. Insome embodiments, the communication interface 320 may enablecommunications with one or both of credential devices 110 and beacondevices 108, e.g. to allow an access control system administrator toread information from a credential device 110, provide a tracker ID 428to a beacon device 108, obtain a beacon ID 424 from a beacon device 108for establishing an association between the beacon device 108 and acredential device 110, or for any other communications needed toimplement the systems and methods described herein.

The user interface 332 may comprise one or more user input devicesand/or one or more user output devices. Examples of suitable user inputdevices that may be included in the user interface 332 include, withoutlimitation, one or more of a keyboard, mouse, button, touch-sensitivesurface, pen, camera, microphone, etc. Examples of suitable user outputdevices that may be included in the user interface 332 include, withoutlimitation, display screens, touchscreens, lights, speakers, etc. Itshould be appreciated that the user interface 332 may also include acombined user input and user output device, such as a touch-sensitivedisplay or the like. The user interface 332 may allow a systemadministrator to modify the credential device information 312, e.g. byproviding or changing credential device information, establishing orremoving associations between credential devices 110 and beacon devices108, and/or establishing or removing associations between individuals(or identifying information corresponding to individuals) and credentialdevices 110.

The power source 328 may include a built-in power supply (e.g., abattery) and/or a generator or other energy production device forgenerating electricity (e.g. a solar cell). Alternatively, the powersource 328 may comprise an interface for receiving power from anelectrical outlet. In some embodiments, the power source 328 may alsoinclude some implementation of surge protection circuitry to protect thecomponents of the mobile device 108 from power surges. Also in someembodiments, the power source 328 may comprise circuitry for convertingincoming alternating current to direct current for powering the variouscomponents of the access server 120.

The processor 316 and the driver(s) 324 may be substantially similar oridentical to the processor 216 and the driver(s) 220.

With reference now to FIG. 4, a beacon device 108 (or 308) may comprisea memory 404, a processor 408, one or more drivers 412, atransmitter/antenna 416, and a power module 420. The memory 404 maycorrespond to any type of non-transitory computer-readable medium. Insome embodiments, the memory 204 may comprise volatile or non-volatilememory and a controller for the same. Non-limiting examples of memory204 that may be utilized in the mobile device 108 include RAM, ROM,buffer memory, flash memory, solid-state memory, or variants thereof.

The memory 404 stores, among other things, a unique beacon ID 424. Thememory 404 may also store a tracker ID 428 that corresponds to acredential device 110 or 310 associated with the beacon device 108. Oneor more drivers 412, as well as instructions for execution by theprocessor 408, may also be stored in the memory 404.

The processor 408 may correspond to one or many microprocessors that arecontained within the housing of the beacon device 108 with the memory404. In some embodiments, the processor 408 incorporates the functionsof a Central Processing Unit (CPU) on a single Integrated Circuit (IC)or on multiple IC chips. The processor 408 may be a multipurpose,programmable device that accepts digital data as input, processes thedigital data according to instructions stored in its internal memory,and provides results as output. The processor 408 implements sequentialdigital logic as it has internal memory. As with most knownmicroprocessors, the processor 408 may operate on numbers and symbolsrepresented in the binary numeral system. In particular, the processor408 may cause the transmitter/antenna 416 to periodically broadcast asignal that may be received by one or more readers 112 and used fordetermining a location or a set of possible locations of the beacondevice 108.

The drivers 412 may correspond to hardware, software, and/or controllersthat provide specific instructions to hardware components of the beacondevice 108, thereby facilitating their operation. For instance, thetransmitter/antenna 416 and the receiver 418 may each have a dedicateddriver 412 that provides appropriate control signals to effect itsoperation. The driver(s) 412 may also comprise the software or logiccircuits that ensure the various hardware components are controlledappropriately and in accordance with desired protocols. For instance,the driver 412 of the transmitter/antenna 416 may be adapted to ensurethat the transmitter/antenna 416 transmits signals using the BLEprotocol such that readers 112 or 212 are able to receive andappropriately analyze the signals.

The transmitter/antenna 416, under control of the processor 408,periodically (or at non-uniform intervals) broadcasts a signal that may,in some embodiments, include the beacon ID 424. Readers 112 or 212 thatreceive the signal use the signal to determine the location (or thepossible locations) of the beacon device 108. If the signal includes thebeacon ID 424, then the readers 112 or 212 can determine which beacondevice 108 is at the determined location or possible locations. If thesignal does not include the beacon ID 424 (or, in embodiments, where thememory 404 also stores a tracker ID 428, if the signal includes thebeacon ID 424 but not the tracker ID 428), then a reader 112 or 212 mayestablish a connection with the beacon device 108 to retrieve the beaconID 424 (or the tracker ID 428) from the memory 404 of the beacon device108. In such embodiments, however, the beacon device 108 also includes areceiver 418, via which the beacon device 108 may receive, for example,a read command from a reader 112.

The power module 420 may include a built-in power supply (e.g., abattery) and/or a generator or other energy production device forgenerating electricity (e.g. a solar cell). In some embodiments, thepower module 420 may also include some implementation of surgeprotection circuitry to protect the components of the mobile device 108from power surges.

Referring now to FIG. 5, a reader 112 (or 212) according to embodimentsof the present disclosure may comprise a memory 504, a processor 508,one or more driver(s) 512, a device interface 516, a network interface520, a power module 524, and, in some embodiments, a barcode scanner528.

Like the memory 404, the memory 504 may correspond to any type ofnon-transitory computer-readable medium. The memory 504 may be locatedlocally or remotely to the other components of the reader 112. In someembodiments, the memory 504 may comprise volatile or non-volatile memoryand a controller for the same. Non-limiting examples of memory 504 thatmay be utilized in the reader 112 include RAM, ROM, buffer memory, flashmemory, solid-state memory, or variants thereof.

The memory 504 may store the one or more drivers 512 as well asinstructions for execution by the processor 508 that, when executed bythe processor 508, enable the reader 112 to communication with one ormore beacon devices 108 and/or one or more credential devices 110. Insome embodiments, the instructions may further enable the reader 112 tocommunicate information about transmissions received from one or morebeacon devices 108 and/or credential devices 110 to other readers 112,to an access server 120, and/or to a computing device 124. The memory504 may further store instructions for enabling the reader 112 todetermine a distance to a beacon device 108 using RSSI, and/or totriangulate a position of a beacon device 108, and/or to engage in anyother communications or make any other determinations described herein.Additionally, the memory 504 may store information associating a beacondevice 108 with a credential device 110, and/or information associatinga credential device 110 with a visitor or other user 102. The memory 504may yet further store instructions for enabling the reader 112 toestablish an association between a beacon device 108 and a credentialdevice 110.

The processor 508 may correspond to one or multiple microprocessors thatare contained within the housing of the reader 112. In some embodiments,the processor 508 incorporates the functions of a Central ProcessingUnit (CPU) on a single Integrated Circuit (IC) or a few IC chips. Theprocessor 508 may be a multipurpose, programmable device that acceptsdigital data as input, processes the digital data according toinstructions stored in its internal memory, and provides results asoutput. The processor 508 implements sequential digital logic as it hasinternal memory. As with most known microprocessors, the processor 508may operate on numbers and symbols represented in the binary numeralsystem.

The driver(s) 512 may correspond to hardware, software, and/orcontrollers that provide specific instructions to hardware components ofthe reader 112, thereby facilitating their operation. For instance, thedevice interface 516 and network interface 520 may each have a dedicateddriver 512 that provides appropriate control signals to effect itsoperation. The driver(s) 512 may also comprise the software or logiccircuits that ensure the various hardware components are controlledappropriately and in accordance with desired protocols. For instance,the driver 512 of the device interface 516 may be adapted to ensure thatthe device interface 516 follows the appropriate communication protocols(e.g., BLE, NFC, Infrared, Ultrasonic, WiFi/IEEE 802.11N, etc.) suchthat the device interface 516 can exchange communications withcredential devices 110 and beacon devices 108. Likewise, the driver 512of the network interface 520 may be adapted to ensure that the networkinterface 520 follows the appropriate network communication protocols(e.g., TCP/IP (at one or more layers in the OSI model), UDP, RTP, GSM,LTE, Wi-Fi, etc.) such that the network interface 520 can exchangecommunications via a communication network such as the communicationnetwork 128. As can be appreciated, the driver(s) 512 may also beconfigured to control wired hardware components (e.g., a USB driver, anEthernet driver, etc.).

The device interface 516 may correspond to the hardware that facilitatescommunications between the reader 112 and one or more beacon devices 108or credential devices 110. The device interface 516 may include aBluetooth interface (e.g., antenna and associated circuitry), aWiFi/802.11N interface (e.g., an antenna and associated circuitry), anNFC interface (e.g., an antenna and associated circuitry), an Infraredinterface (e.g., LED, photodiode, and associated circuitry), and/or anUltrasonic interface (e.g., speaker, microphone, and associatedcircuitry). In some embodiments, the device interface 516 isspecifically provided to facilitate proximity-based communications witha credential device 110 via a communication channel or multiplecommunication channels.

The network interface 520 may comprise hardware that facilitatescommunications with other devices over a communication network such asthe communication network 128. The reader 112 may, for example, maintaincommunications with an access server such as access server 120, withother readers 112, and/or with one or more services or data sourcesaccessible via the communication network 128 (e.g. a web-based clockservice, a remote memory such as access data memory 118, and so forth).The network interface 520 may include an Ethernet port, a WiFi card, aNetwork Interface Card (NIC), a cellular interface (e.g., antenna,filters, and associated circuitry), or the like. The network interface520 may further be configured to encode and decode communications (e.g.,packets) according to a protocol utilized by the communication network128, and/or to encrypt or decrypt secure communications.

The power module 524 may include a built-in power supply (e.g., battery)and/or a power converter that facilitates the conversion ofexternally-supplied AC power into DC power that is used to power thevarious components of the reader 112. In some embodiments, the powermodule 524 may also include some implementation of surge protectioncircuitry to protect the components of the reader 112 from power surges.

In some embodiments, the reader 112 comprises a scanner 528. The scanner528 may be a 1-dimensional or 2-dimensional bar code scanner, an imagescanner, a laser scanner, a magnetic stripe reader, or any other scanneror reader suitable for obtaining information from a credential device110 that is not configured for wireless or electronic communication (orfrom a credential device 110 that is configured for wireless orelectronic communication, but that also comprises one or morenon-electronic means of encoding information, such as a printed1-dimensional barcode, a printed 2-dimensional barcode, printed text, aprinted image, and/or a magnetic stripe. The scanner 528 may compriseboth hardware and software. The scanner 528 may scan continuously, orthe scanner 528 may comprise a motion detector that causes the scanner528 to scan only when nearby motion is detected. As another alternative,the scanner 528 may be configured to scan continuously duringpredetermined time periods. As still another alternative, the scanner528 may be configured to scan when a button on the reader 112 ispressed, when an on/off switch is turned on, or upon receipt of anotherinput.

Referring now to FIG. 6, a method 600 according to at least oneembodiment of the present disclosure may comprise associating a visitorwith a credential device (step 604). The association may be made on acomputing device, which may be, for example, an access server 120 or acomputing device 124. For example, a visitor to a secured facility mayprovide his or her identification information (e.g. a name, a driver'slicense, and/or a passport) to an access control system administrator(who may be, for example, a security guard and/or a receptionist). Theaccess control system administrator may enter the name and/or otheridentification information of the visitor in the access server 120 orthe computing device 124, which may automatically associate thevisitor's name with a particular credential device 110. For example, thecredential device 110 may be associated with a tracker ID 428, and adatabase stored on or by the access server 120 may store the tracker IDs428 associated with every credential device 110 used by the accesscontrol system 100. The access control system administrator may enterthe visitor identification information into the database, which may thenassociate the visitor identification information with the tracker ID 428of a credential device 110 that is not already associated with anotherindividual.

In some embodiments, the access control system administrator mayassociate a visitor with a credential device 110 by locating anavailable credential device 110 and scanning a barcode thereon (e.g.with a scanner similar to the scanner 528), tapping the credentialdevice 110 on a near-field computing device to cause the credentialdevice 110 to transmit its tracker ID 428 to the near-field computingdevice (which may, in turn, be in communication with the access server120), or otherwise read a tracker ID 428 from the credential device 110.This may cause the access server 120 (or the computing device 124) toopen a dialogue box into which the system administrator can enteridentification information of a visitor to be associated with thecredential device 110, which information and association can then besaved.

In other embodiments, an access control system administrator mayassociate a visitor with a credential device 110 by entering one or morepieces of visitor identification information (e.g. name, telephonenumber, email address, or visitor image) into a spreadsheet or databasethat contains the tracker IDs 428 of the credential devices 110 that areused with the access control system 100. For example, if each row of afirst column of a spreadsheet contains a tracker ID 428 of credentialdevice 110 that is used with the access control system, then the accesscontrol administrator may associate a visitor with one of the trackerIDs 428 (and thus with one of the credential devices 110) by enteringthe visitor's identification information in the same row as the trackerID 428 in question but in a second column of the spreadsheet. With sucha spreadsheet, the access control administrator can readily determinewhich tracker IDs 428 are not currently associated with anyone (and aretherefore available to be associated with a visitor) by identifyingblank cells in the second column of the spreadsheet.

In addition to associating a visitor with a credential device 110, themethod 600 may comprise associating the credential device 110 with abeacon device 108 (step 608). The beacon device 108 may have the formfactor of, for example, a lanyard (or a lanyard attachment), a badgeholder, or a retractable badge reel. Thus, the credential device 110 maybe physically associated with the beacon device 108 by attaching thecredential device 110 to the beacon device 108.

In some embodiments, the credential device 110 may also be associatedwith the beacon device 108 by causing the tracker ID 428 of thecredential device 110 to be stored in the memory 404 of the beacondevice 108. For this to occur, the access control system administratormay manually provide the beacon ID 424 of the beacon device 108 inquestion to the access server 120. The access server 120 may thentransmit the tracker ID 428 and the beacon ID 424 to one or more readers112 over the communication network 128, one or more of which readers 112may then transmit the tracker ID 428 (e.g. as part of a memory writecommand) to the beacon device 108 (using the beacon ID 424 to send thetracker ID 428 to the proper beacon device 108), using a deviceinterface 516. In other embodiments, the access control systemadministrator may cause the computing device 124 or the access server120 to generate a beacon ID 424 and to transmit the generated beacon ID424 to the beacon device 108, which may then adopt the generated beaconID 424 for at least as long as the beacon device 108 is associated withthe credential device 110. In still other embodiments, the access server120 or the computing device 124 may transmit the tracker ID 428 of thecredential device 110 to the beacon device 108, which may then adopt thetracker ID 428 as the beacon ID 424 for at least as long as the beacondevice 108 is associated with the credential device 110 having thetracker ID 428.

Alternatively, an access control system 100 may be configured toautomatically determine which credential device 110 is associated with abeacon device 108 by comparing the amount of time that passes between afirst communication between a given reader 112 and a beacon device 108on the one hand and a first communication between the given reader 112and a credential device 110 on the other. Because the beacon device 108is equipped with beyond-NFC communication capabilities, it willtypically communicate with the reader 112 before the credential device110 communicates with the reader. Thus, the access control system 100may be configured to associate a credential device 110 with a beacondevice 108 if the first communication with each of the two devicesoccurs within a given amount of time of the other, where the amount oftime depends on the difference in communication range of the beacondevice 108 and the credential device 110. Once the backend portion ofthe access control system 100 (e.g. the readers 112 and/or the accessserver 120) associates the beacon device 108 with the credential device110, one or more of the readers 112 may send a write-to-memory commandto the beacon device 108 that causes the beacon device 108 to store thetracker ID 428 of the associated credential device 110 in the memory 404of the beacon device 108. Alternatively, the beacon device 108 mayrequest the tracker ID 428 of the associated credential device 110 fromone or more of the readers 112, and may store that tracker ID 428 in thememory 404 of the beacon device 108 upon receipt of the tracker ID 428.

As another alternative, an access control system 100 may be configuredsuch that beacon devices 108 used with the system 100 transmit anindication of whether they are or are not associated with a credentialdevice 110. The indication may be as simple as, for example, the absenceof a tracker ID 428 in transmissions made by the beacon device 108. Theindication may also be, as another example, an affirmative indication(e.g. a predetermined code) that the beacon device 108 has not beenassociated with a credential device 110. Then, when a reader 112receives a signal from a beacon device 108 that comprises an indicationthat the beacon device 108 is not associated with a credential device110, the system 100 may be configured to automatically associate thenext unrecognized tracker ID 428 (e.g. the next tracker ID 428 that hasnot already been associated with a beacon device 108) with the beacondevice 108 from which the indication was received.

In some embodiments, the association of the beacon device 108 and thecredential device 110 may be tracked by the beacon device 108 (e.g. bystoring the tracker ID 428 of the associated credential device 110 inthe memory 404 of the beacon device 108). In other embodiments, however,the association of the beacon device 108 and the credential device 110may be maintained solely in the backend portion of the access controlsystem 100.

The method 600 also comprises inferring the location of a visitor basedon a determined location of the beacon device and/or a credential device(step 612). In embodiments where the beacon device 108 stores, in thememory 404 thereof, a tracker ID 428 of an associated credential device110, the beacon device 108 may periodically transmit the tracker ID 428(together with the beacon ID 424, in some embodiments). In embodimentswhere the beacon device 108 does not store a tracker ID 428, the beacondevice 108 periodically transmits its beacon ID 424. When one or morereaders 112 within communication range of a beacon device 108 receive atransmitted signal from the beacon device 108, the one or more readers(which may communicate with each other directly, or via thecommunication network 128) or the access server 120 or the computingdevice 124 (using information received from the one or more readers 112)calculate a position or a plurality of possible positions of the beacondevice 108 using known techniques for determining or triangulatingposition, including, for example, one or more of RSSI, triangulation,phase detection, and echo detection. The reader(s) 112 and/or the accessserver 120 also determine which tracker ID 428 is associated with thebeacon device 108, and based on that determination, infer a location (ora plurality of possible locations) of the visitor that is associatedwith the credential device 110 having the tracker ID 428.

When a reader 112 communicates (or obtains information from) acredential device 110, the reader 112 (or the access server 120, basedon information received from the reader 112) determines which visitor isassociated with the credential device 110, and infers that the visitoris located in the immediate vicinity of the reader 112 (because thecredential device 110 utilizes NFC or a similar short-rangecommunication protocol, or because the credential device 110 must bephysically placed adjacent the reader 112 to be scanned).

As persons of ordinary skill in the art will appreciate, the receipt bythe readers 112 of periodic transmissions from the beacon device 112,together with the occasional gathering of information from thecredential device 110 itself (whether through wireless, short rangecommunications or by scanning the credential device 110) allows multipleinferences to be made regarding the location of a visitor associatedwith the credential device 110, which inferences may be used to informfuture location determinations and inferences for the visitor inquestion. For example, the gathering of information from a credentialdevice 110 provides a basis for highly certain visitor locationinferences. These highly certain location inferences may be used by thereaders 112 and/or the access server 120 to eliminate nonsensicalpotential location determinations or inferences. For example, a visitormay scan his or her credential device 110 at a first time, resulting ina highly certain location inference. Then, at a second time shortlythereafter, a reader 112 may receive a broadcast signal from the beacondevice 108 associated with the visitor's credential device 110 thatresults in two or more potential position determinations. The reader 112(or the access server 120) may then use the highly certain locationinference to eliminate any of the potential position determinations thatwould require the visitor to have gone farther or moved faster than isphysically possible (or, in some embodiments, than is likely) in theamount of time that has passed since the highly certain locationinference was made.

In some embodiments, the access control system 100 may store eachlocation determination or inference for each visitor, and may use thestored location determinations or inferences to create a track of thevisitor's movement. The stored location determinations or inferencesand/or the track of the visitor's movement may be accessible to anaccess control system administrator via the access server 120 and/or thecomputing device 124. In some embodiments, the access control system 100may only store the location determinations or inferences correspondingto a particular visitor for a given amount of time (e.g. 30 minutes, 1hour, 2 hours, 1 day, 1 week, or 1 month). In still other embodiments,the access control system 100 may simply replace each locationdetermination or inference with a new location determination orinference at the time the new location determination or inference ismade.

The access control system 100 may further be configured to use locationdeterminations and inferences for security purposes. For example, theaccess control system 100 may be configured to sound an alarm if itinfers or determines that a visitor is located in an area of a securefacility in which the visitor is not authorized to be. As anotherexample, the access control system 100 may be configured to send amessage (e.g. an email or a text message) if it infers or determinesthat a visitor is in an unauthorized location of a secure facility.

The access control system 100 may also be configured to terminate accessauthorizations if it is determined that the beacon device 108 andcredential device 110 are not at the same location. For example, if thebeacon device 108 communicates with a first reader 112 and thecredential device 110 communicates with a second reader 112 that isoutside of the communication range of a beacon device 108 communicatingwith the first reader 112, then the access control system 100 maydetermine that the credential device 110 has been separate from thebeacon device 108.

If a determination is made that a credential device 110 has beenseparated from a beacon device 108, then the access control system 100may change the access authorization of the credential device 110, forexample by preventing each of the readers 112 from granting access basedon credentials provided by the credential device 110, or by otherwisedisabling the ability of the credential device 110 from being used toobtain access to the secure facility (or any portion thereof) protectedby the access control system 100. Additionally, the access server 120,the computing device 124, or another component of the access controlsystem 100 may, for example, send an electronic message (e.g. an emailor a text message) or an automatically generated voice message, displaya message on a graphical user interface, make an announcement (e.g. apre-recorded announcement or an automatically generated announcement)over a loudspeaker system, or sound an alarm. In some embodiments, theaccess control system may include in a message or announcementidentification information of the individual associated with thecredential device 110 and/or the beacon device 108, e.g. to assistsecurity guards, employees, or other persons to locate the individualassociated with the credential device 110 and/or the beacon device 108.

When the visitor's visit to the secure facility is over, the visitor mayreturn his or her beacon device 108 and credential device 110 to theaccess control system administrator (or another administrativeindividual, such as a receptionist or security guard, either one ofwhich may in some embodiments also be an access control systemadministrator). The administrator may then de-associate the credentialdevice 110 from the beacon device 108 (step 616). For example, theadministrator may input a command (e.g. via the access server 120 or thecomputing device 124) that causes the access control system 100 (or,more particularly, one or more readers 112, and/or the access server120) to remove from any database, spreadsheet, or memory any associationbetween the beacon ID 424 of the beacon device 108 and the tracker ID428 of the credential device 110. As another example, the administratormay input a command (e.g. via the access server 120 or the computingdevice 124) that causes a signal to be sent to the beacon device 108(e.g. via a reader 112) that commands the beacon device 108 to deletethe tracker ID 428 of the credential device 110 from the memory 404 ofthe beacon device 108.

The system administrator may also de-associate the visitor from thecredential device (step 620). This may be accomplished by, for example,deleting (or causing to be deleted) the visitor identificationinformation from the spreadsheet or database that associates the visitoridentification information with the credential device 110.

In some embodiments, both steps 616 and 620 may be accomplishedautomatically, whether at a predetermined time (e.g. at the close ofbusiness, at a check-out time, or at any other predetermined time) orwhen one or both of the beacon device 108 and the credential device 110communicates with a designated reader 112, such as a reader 112 at afront desk of the secure facility or readily accessible to the systemadministrator.

Data and/or applications such as spreadsheets, databases, locationdeterminations and inferences, and the like may be stored in one or bothof an access data memory 116 and an access data memory 118. Such dataand/or applications may also be stored in a memory of the access server120.

Referring now to FIG. 7, a method 700 according to at least oneembodiment of the present disclosure comprises receiving an input basedupon which an individual is associated with a credential device (step704). The input is received on a computing device, which may be, forexample, an access server 120 or a computing device 124. The inputcomprises identifying information about an individual, which mayinclude, for example, the individual's name, age, birthday, height,weight, skin color, hair color, eye color, social security number, otheridentification number, driver's license number, passport number,telephone number, email address, residential address, work address,and/or mailing address. The identifying information may be contained ina signal generated based upon the scanning/reading of a driver's licenseor a passport (or of a barcode or magnetic strip on a driver's licenseor a passport), which signal may contain identifying information aboutthe holder of the driver's license or passport. The identifyinginformation may also be provided by an access control systemadministrator or other user of a user interface connected to or formingpart of an access server 120 and/or a computing device 124. For example,a system administrator may type identification information for theindividual in question into a spreadsheet or database using a userinterface of the access server 120 or computing device 124.

Upon receipt of the input, the computing device 124 or access server 120associates the individual (or, more specifically, one or more pieces ofidentifying information about the individual) with a particularcredential device 110. The association may be made, for example, in aspreadsheet or database, and may be stored in a memory of the computingdevice 124, or of the access server 120, or of one or more readers 112,and/or in an access data memory 118 or 116.

In some embodiments of the present disclosure, the input may be receivedon a smart phone or other mobile device of the individual himself orherself. For example, if the smart phone or other mobile device isconfigured to communicate via NFC, to scan barcodes, and/or to readmagnetic stripes, then the individual may use his or her smart phone orother mobile device to obtain a tracker ID 428 or other identifyinginformation from a credential device 110. The smartphone may utilize amobile app installed thereon to cause the smartphone to obtain theinformation from the credential device 110.

The method 700 may also comprise receiving an input based upon which thecredential device 110 is associated with a beacon device 108 (step 708).The input may be a signal transmitted by a beacon device 108 andreceived by a reader 112 or other communication interface associatedwith the computing device 124 and/or access server 120 (e.g. a reader112 that is readily accessible to a system administrator). The input mayalso comprise manual entry of a beacon ID 424 or other identifyinginformation of the beacon device 108 into the computing device 124 oraccess server 120. In some embodiments, the input may comprise a trackerID 428 or other identifying information associated with the credentialdevice 110.

Upon receipt of the input, the computing device 124 or access server 120associates the credential device 110 (or, more specifically, one or morepieces of identifying information about the credential device 110) witha particular beacon device 108. The association may be made, forexample, in a spreadsheet or database, and may be stored in a memory ofthe computing device 124, or of the access server 120, or of one or morereaders 112, and/or in an access data memory 118 or 116. The associationmay cause the beacon device 108 to begin periodically transmitting orbroadcasting a signal, which may include, for example, a beacon ID 424and/or a tracker ID 428.

In embodiments where a smart phone or other mobile device of theindividual receives the input based upon which the individual isassociated with a credential device 110 in step 704, the smart phone orother mobile device may also receive or provide the input based uponwhich the credential device 110 is associated with a beacon device 108in step 708. For example, the smart phone or other mobile device maycommunicate directly with the beacon device 108 (e.g. using a BLEinterface) to obtain a beacon ID 424 thereof, and may transmit thebeacon ID 424 (together with, in some embodiments, a tracker ID 428 orother information about the credential device 110) to the access server120 via the communication network 128. Alternatively, the smart phone orother mobile device may provide the tracker ID 428 of the credentialdevice 110 to the beacon device 108, which may adopt the tracker ID 428as the beacon ID 424, and thus be associated with the credential device110 by virtue of sharing the same identifier.

In addition to creating an electronic association between the credentialdevice 110 and the beacon device 108, a physical association between thetwo devices may also be made. For example, in embodiments where thebeacon device 108 is in the form of a lanyard or lanyard attachment, abadge holder, or a retractable badge reel, the credential device 110 maybe attached to or in the vicinity of the beacon device 108 to facilitatethe carrying of the beacon device 108 and the credential device 110 bythe individual associated with the credential device 110.

The method 700 may further comprise receiving a transmission from thebeacon device (step 712). The transmission may be a signal transmittedor broadcasted by the beacon device 108 on a periodic basis, and maycomprise a beacon ID 424, a tracker ID 428, or other informationallowing the beacon device 108 to be distinguished from other beacondevices. The transmission may be received by one or more readers 112,and may be received while the beacon device 108 is too far from the oneor more readers 112 to allow the one or more readers 112 to communicatewith or obtain information from the credential device 110. In someembodiments, the transmission may not include a beacon ID 424 or atracker ID 428, but may instead allow or cause one or more readers 112(e.g. the reader(s) 112 that receive the transmission) to establish aconnection with the beacon device 108 and read one or both of the beaconID 424 and the tracker ID 428 from the memory 404 of the beacon device108.

Based on the received transmission, one or more of the access server120, the computing device 124, and the one or more readers 112 maydetermine a possible location or a set of possible locations of thebeacon device 108 (step 716). The determination may be made using knownposition determination techniques, including triangulation, and mayutilize one or more techniques such as RSSI, echo detection, and phasedetection to calculate or estimate a distance between a given reader 112and the beacon device 108, an angle between a given reader 112 and thebeacon device 108, and/or a position of the beacon device 108 relativeto the one or more readers 112 or relative to an electronic or digitalmap of the facility in which the access control system 100 is installed.The determination may also utilize the known position (includingdistances and angles between the known positions) of a plurality ofreaders 112, including the one or more readers 112.

The method 700 may further comprise receiving an indication that thecredential device 110 has communicated with (or been scanned or read by)a specific reader 112 (step 720). Because a reader 112 can obtaininformation from a credential device 110 only when the credential device110 is physically proximate to the reader 112 (e.g. within NFCcommunication range, or close enough to be scanned by a barcode scanneror to be swiped through a magnetic stripe reader), an indication thatthe reader 112 has obtained information directly from a credentialdevice 110 allows the position of the credential device 110 to bedetermined with a high degree of certainty.

Consequently, the indication that a reader 112 has obtained informationdirectly from a credential device 110 may be used to refine a previous(or a subsequent) determination of possible locations of the beacondevice 108 that were or are based on a transmission received from thebeacon device 108 (step 724). For example, if a previous transmissionfrom the beacon device 108 resulted in a set of determined possiblepositions (e.g. because the transmission was only received by one reader112, and only the distance from the beacon device 108 to the reader 112was able to be determined based on the transmission), then thedetermined position of the credential device 110 from the step 720 maybe used to eliminate one or more of the determined possible positions(e.g. those possible positions that are far enough away from thedetermined position of the credential device 110 that it would have beenphysically impossible, difficult, or unlikely for the holder of thebeacon device 108 and credential device 110 to move from the possiblepositions to the determined position of the credential device within theamount of time that passed between the determining of the set ofpossible positions and the receipt by the reader 112 of informationdirectly from the credential device 110.

Additionally, the receipt over time by different readers 112 oftransmissions from the beacon device 108 may be used to determine adirection of movement of the holder of the beacon device 108, whichdirection of movement may also be used to eliminate potential positiondeterminations when there is insufficient information to determine asingle position of the beacon device 108. For example, if over a givenperiod of time a series of readers 112 sequentially receive one or moretransmissions from a beacon device 108, and each of the series ofreaders 112 is positioned to the west of the preceding reader 112, thenthe access server 120 (or the computing device 124, or one or morereaders 112) can infer that the holder of the beacon device 108 ismoving westward, and use that inference to eliminate potential positiondeterminations that would require the holder of the beacon device 108 tobe moving eastward.

As position determinations for a beacon device 108 are made and refined,those position determinations (or a summary thereof, or otherinformation based thereon) may be reported by the access server 120, thecomputing device 124, and/or one or more readers 112 (step 728). Thereporting may be from one component of the access control system toanother (e.g. from a reader 112 to the access server 120, or from theaccess server 120 to the computing device 124), or the reporting may befrom one component of the access control system 100 to outside of theaccess control system 100 (e.g. from the access server 120 to acommunication device belonging to an access control system administratoror to a security officer, whether via email, text message, or anotherelectronic communication format). The reporting may be used simply toverify that an individual is within a security facility, or to verifythat the individual is or is not within a particular area of a securefacility, or to ensure that the individual is within an expected area ofa secure facility (e.g. the area in which the individual works, or thearea that the individual was authorized to visit). The reporting may beused to trigger an alarm (e.g. if the individual is in an unauthorizedlocation within the secure facility, or if the individual is no longerwithin the secure facility), or to request the assistance of a securityofficer, or for emergency response purposes. These examples, however,are not limiting, and persons of ordinary skill in the art willrecognize other potential uses of the reporting based upon the foregoingdisclosure.

With reference now to FIG. 8, a beacon device 808 according to someembodiments of the present disclosure may comprise the same orsubstantially similar components as the beacon device 108 depicted inFIG. 4. The beacon device 808 may also comprise, however, a generator832 operatively connected to a retractable extension reel 836. In thisembodiment, the beacon device 808 may be in the form of a retractablebadge reel, and the credential device 110 may be attached to theextension reel 836. When the holder of the beacon device 808 andcredential device 110 pulls the credential device 110 to swipe thecredential device 110 through a magnetic strip reader of a reader 112,or to allow a reader 112 to scan a barcode thereon, or to tap thecredential device 110 on the reader 112 to initiate NFC or otherwireless communications between the two devices, or for any otherpurpose, the extension of the extension reel 836 activates the generator832, which generates an electrical current that may be used, forexample, to recharge the power module 420 (e.g. where the power module420 is a battery or other energy storage device). Similarly, thegenerator may also be activated upon retraction of the extension reel836.

While embodiments of the present disclosure have been primarilydescribed as including a beacon device 108 that communicates with one ormore readers 112 using a beyond-near-field-range communication protocol(e.g. BLE, Bluetooth, and/or WiFi) and a credential device 110 thatcommunications with the one or more readers 112 using a communicationprotocol with a shorter communication range than the beacon device 108,it should be appreciated that the present disclosure encompassesembodiments in which the beacon device 108 and the credential device 110utilize the same communication protocol, as well as embodiments in whichthe credential device 110 utilizes a communication protocol with agreater range than a communication protocol used by the beacon device108. Indeed, the beacon device 108 and the credential device 110 mayhave the same communication capabilities, or they may have differentcommunication capabilities (whether in terms of, by way of example butnot limitation, communication protocol, communication range, ortransmission signal strength). In embodiments where the beacon device108 and the credential device 110 have different communicationcapabilities, the communication capabilities of either device may besuperior.

In some embodiments of the present disclosure, and particularly inembodiments implemented in connection with high security facilities, apseudonymous ID and even a trusted pseudonymous ID may be used to ensurethat transmissions or broadcasts from beacon devices 108 are not merelycopies of previous transmissions or broadcasts intended to hide theactual location of a beacon device 108 or its associated credentialdevice 110 or user 102. For example, a tracker ID 428 and/or a beacon ID424 may be pseudonymized by replacing the actual identifier with anartificial identifier. This allows the true identity of the beacondevice 108 and the credential device 110 to be masked, at least to someextent, from anyone or anything that does not have the formula oralgorithm used to pseudonymize the identifiers. In some embodiments, thepseudonymous identifier may remain the same for each transmission (e.g.as long as the beacon device 108 is associated with the same credentialdevice 110, and as long as the credential device 110 is associated withthe same user 102), while in other embodiments, the pseudonymousidentifier may change periodically or with each transmission.

Also in some embodiments, the beacon device 108 may comprise the abilityto generate a pseudo-random sequence of numbers that can be appended tothe beacon ID 424, such as a URL, email address, phone number, etc. Thevalidation of this pseudo-random sequence of numbers may be done by avalidation engine 336 located in one or more of the readers 112 and theaccess server 120. The validation engine 336 may track the sequence foreach beacon device 108 and indicate whether the beacon device 108 hasgenerated the next number in the sequence, indicating a reader 112receiving the beacon ID 424 with the appended pseudo-random sequence ofnumbers has, in fact, interacted with the beacon device 108 (rather thanwith a device that is transmitting a copy of a previous transmissionfrom the beacon device 108).

Additionally, one or more components of the access control system 100(e.g. the access server 120, the computing device 124, and/or one ormore readers 112) may track the number of unique transmissions (e.g. notcounting repeat instances of the same transmission being received bymultiple readers 112) received from a given beacon device 108.Additionally, a beacon device 108's periodic transmissions or broadcastsmay comprise a counter, which may be compared against the number ofunique transmissions being tracked by a component of the access controlsystem 100 to verify that a received transmission is not merely a copyor replay of a previous transmission.

In some embodiments of the present disclosure, the beacon device 108uses the Apple iBeacon protocol. Whether or not the beacon device 108uses the Apple iBeacon protocol, in some embodiments the beacon device108 may be configured to periodically or occasionally change, scramble,encode, or otherwise modify its beacon ID 424, such that a reader 112,an access server 120, a computing device 124, or other components of theaccess control system 100 do not recognize the modified beacon ID 424and cannot associate the modified beacon ID 424 with a tracker ID 428corresponding to a credential device 110 and/or to a user 102. Thus, insome embodiments, a user 102 may have or be provided with a plurality ofbeacon devices 108 (which may be physically separate, or may be combinedinto the same physical device, and, in the latter instance, may shareone or more components). Each beacon device 108 provided to the user 102may then be associated with the same credential device 110, and one ormore readers 112 may receive periodic transmissions from each beacondevice 108.

The provision of multiple beacon devices 108 to a user 102 allows forthe effective use of beacon devices 108 even when the beacon devices 108are configured to periodically or occasionally modify their respectivebeacon IDs 424. For example, a user 102 may be provided with four beacondevices 108 and one credential device 124. If a first beacon device 108of the four beacon devices 108 modifies its beacon ID 424, then theaccess server 120 (or the computing device 124) will still be able todetermine a location of the first beacon device 108 with the modifiedbeacon ID 424 based on receipt by one or more readers 112 of one or moretransmissions from the first beacon device 108. However, the accessserver 120 will not be able to determine, based solely on thetransmissions of the first beacon device 108, that the first beacondevice 108 is one of the four beacon devices 108 associated with thecredential device 110. Even so, if the access server 120 determines thatthe location of the first beacon device 108 is the same as (orsubstantially the same as) the location of the other three beacondevices 108, then the access server 120 can infer that the first beacondevice 108 has modified its beacon ID 424, and can associate themodified beacon ID 424 with the credential device 110. In someembodiments, the access server 120 may also verify that the first beacondevice 108 has modified its beacon ID 424 by determining that it has notreceived any transmissions associated with the previous beacon ID 424 ofthe first beacon device 108 within a predetermined period of time.

In this manner, each time one of the four beacon devices 108 modifiesits beacon ID 424, the access server 120 can identify the modifiedbeacon ID 424, determine that it belongs to one of the four beacondevices 108, and associated the modified beacon ID 424 with thecredential device 110. The use of multiple beacon devices 108 enablesthe access control system 100 to continue to track the credential device110 notwithstanding the periodic or occasional modification of thebeacon ID 424 of a beacon device 108 associated with the credentialdevice 110.

The use of multiple beacon devices 108 each transmitting a separatesignal that may be received by one or more readers 112 may also be usedfor purposes of authentication and/or access control. For example, ifone or more of a plurality of beacon devices 108 associated with acredential device 110 stops transmitting, or if the location of such abeacon device 108 can no longer be determined (regardless of thereason), then an access control system 100 may be configured to imposegreater authentication or authorization requirements on the holder ofthe credential device 110 associated with the plurality of beacondevices 108. Such authentication or authorization requirements mayinclude, for example, requiring a user 102 to provide a pin or submit toa biometric scan (in addition to allowing a reader 112 to obtaincredentials from the credential device 110 of the user 102) beforeaccess to a protected area will be granted.

The exemplary systems and methods of this disclosure have been describedin relation to mobile devices, systems, and methods in an access controlsystem. However, to avoid unnecessarily obscuring the presentdisclosure, the preceding description omits a number of known structuresand devices. This omission is not to be construed as a limitation of thescopes of the claims. Specific details are set forth to provide anunderstanding of the present disclosure. It should, however, beappreciated that the present disclosure may be practiced in a variety ofways beyond the specific detail set forth herein. Moreover, it should beappreciated that the methods disclosed herein may be executed via awearable device, a mobile device, a reader, a computing device, and/oran access server of an access control system, etc.

Furthermore, while the exemplary aspects, embodiments, options, and/orconfigurations illustrated herein show the various components of thesystem collocated, certain components of the system can be locatedremotely, at distant portions of a distributed network, such as a LANand/or the Internet, or within a dedicated system. Thus, it should beappreciated, that the components of the system can be combined into oneor more devices, such as a Personal Computer (PC), laptop, netbook,smart phone, Personal Digital Assistant (PDA), tablet, etc., orcollocated on a particular node of a distributed network, such as ananalog and/or digital telecommunications network, a packet-switchnetwork, or a circuit-switched network. It will be appreciated from thepreceding description, and for reasons of computational efficiency, thatthe components of the system can be arranged at any location within adistributed network of components without affecting the operation of thesystem. For example, the various components can be located in a switchsuch as a PBX and media server, gateway, in one or more communicationsdevices, at one or more users' premises, or some combination thereof.Similarly, one or more functional portions of the system could bedistributed between a telecommunications device(s) and an associatedcomputing device.

Furthermore, it should be appreciated that the various links connectingthe elements can be wired or wireless links, or any combination thereof,or any other known or later developed element(s) that is capable ofsupplying and/or communicating data to and from the connected elements.These wired or wireless links can also be secure links and may becapable of communicating encrypted information. Transmission media usedas links, for example, can be any suitable carrier for electricalsignals, including coaxial cables, copper wire and fiber optics, and maytake the form of acoustic or light waves, such as those generated duringradio-wave and infra-red data communications.

Also, while the flowcharts have been discussed and illustrated inrelation to a particular sequence of events, it should be appreciatedthat changes, additions, and omissions to this sequence can occurwithout materially affecting the operation of the disclosed embodiments,configuration, and aspects.

A number of variations and modifications of the disclosure can be used.It would be possible to provide for some features of the disclosurewithout providing others.

Optionally, the systems and methods of this disclosure can beimplemented in conjunction with a special purpose computer, a programmedmicroprocessor or microcontroller and peripheral integrated circuitelement(s), an ASIC or other integrated circuit, a digital signalprocessor, a hard-wired electronic or logic circuit such as discreteelement circuit, a programmable logic device or gate array such as PLD,PLA, FPGA, PAL, special purpose computer, any comparable means, or thelike. In general, any device(s) or means capable of implementing themethodology illustrated herein can be used to implement the variousaspects of this disclosure. Exemplary hardware that can be used for thedisclosed embodiments, configurations and aspects includes computers,handheld devices, telephones (e.g., cellular, Internet enabled, digital,analog, hybrids, and others), and other hardware known in the art. Someof these devices include processors (e.g., a single or multiplemicroprocessors), memory, nonvolatile storage, input devices, and outputdevices. Furthermore, alternative software implementations including,but not limited to, distributed processing or component/objectdistributed processing, parallel processing, or virtual machineprocessing can also be constructed to implement the methods describedherein.

In yet other embodiments, the disclosed methods may be readilyimplemented in conjunction with software using object or object-orientedsoftware development environments that provide portable source code thatcan be used on a variety of computer or workstation platforms.Alternatively, the disclosed system may be implemented partially orfully in hardware using standard logic circuits or VLSI design. Whethersoftware or hardware is used to implement the systems in accordance withthis disclosure is dependent on the speed and/or efficiency requirementsof the system, the particular function, and the particular software orhardware systems or microprocessor or microcomputer systems beingutilized.

In other embodiments, the disclosed methods may be partially implementedin software that can be stored on a storage medium, executed onprogrammed general-purpose computer with the cooperation of a controllerand memory, a special purpose computer, a microprocessor, or the like.In these instances, the systems and methods of this disclosure can beimplemented as program embedded on personal computer such as an applet,JAVA® or CGI script, as a resource residing on a server or computerworkstation, as a routine embedded in a dedicated measurement system,system component, or the like. The system can also be implemented byphysically incorporating the system and/or method into a software and/orhardware system.

Although the present disclosure describes components and functionsimplemented in the aspects, embodiments, and/or configurations withreference to particular standards and protocols, the aspects,embodiments, and/or configurations are not limited to such standards andprotocols. Other similar standards and protocols not mentioned hereinare in existence and are considered to be included in the presentdisclosure. Moreover, the standards and protocols mentioned herein andother similar standards and protocols not mentioned herein areperiodically superseded by faster or more effective equivalents havingessentially the same functions. Such replacement standards and protocolshaving the same functions are considered equivalents included in thepresent disclosure.

The present disclosure, in various aspects, embodiments, and/orconfigurations, includes components, methods, processes, systems and/orapparatus substantially as depicted and described herein, includingvarious aspects, embodiments, configurations embodiments,subcombinations, and/or subsets thereof. Those of skill in the art willunderstand how to make and use the disclosed aspects, embodiments,and/or configurations after understanding the present disclosure. Thepresent disclosure, in various aspects, embodiments, and/orconfigurations, includes providing devices and processes in the absenceof items not depicted and/or described herein or in various aspects,embodiments, and/or configurations hereof, including in the absence ofsuch items as may have been used in previous devices or processes, e.g.,for improving performance, achieving ease and/or reducing cost ofimplementation.

The foregoing discussion has been presented for purposes of illustrationand description. The foregoing is not intended to limit the disclosureto the form or forms disclosed herein. In the foregoing DetailedDescription for example, various features of the disclosure are groupedtogether in one or more aspects, embodiments, and/or configurations forthe purpose of streamlining the disclosure. The features of the aspects,embodiments, and/or configurations of the disclosure may be combined inalternate aspects, embodiments, and/or configurations other than thosediscussed above. This method of disclosure is not to be interpreted asreflecting an intention that the claims require more features than areexpressly recited in each claim. Rather, as the following claimsreflect, inventive aspects lie in less than all features of a singleforegoing disclosed aspect, embodiment, and/or configuration. Thus, thefollowing claims are hereby incorporated into this Detailed Description,with each claim standing on its own as a separate preferred embodimentof the disclosure.

Moreover, though the description has included description of one or moreaspects, embodiments, and/or configurations and certain variations andmodifications, other variations, combinations, and modifications arewithin the scope of the disclosure, e.g., as may be within the skill andknowledge of those in the art, after understanding the presentdisclosure. It is intended to obtain rights which include alternativeaspects, embodiments, and/or configurations to the extent permitted,including alternate, interchangeable and/or equivalent structures,functions, ranges or steps to those claimed, whether or not suchalternate, interchangeable and/or equivalent structures, functions,ranges or steps are disclosed herein, and without intending to publiclydedicate any patentable subject matter.

Any of the steps, functions, and operations discussed herein can beperformed continuously and automatically.

What is claimed is:
 1. An access control system, comprising: acredential device; a beacon device attachable to and detachable from thecredential device, wherein at least one of the credential device and thebeacon device is initially an unknown or anonymous device to the accesscontrol system, wherein the credential device comprises a first antennathat enables wireless communications with one or more readers using asecond communication protocol that is different from a firstcommunication protocol used by the beacon device to communicate with theone or more readers; and an access server configured to receive acommunication from the one or more readers, associate the credentialdevice with the beacon device in a database, and determine, based on thereceived communication a location of the unknown or anonymous devicewithin the access control system.
 2. The system of claim 1, wherein theaccess server comprises a communication interface that enables theaccess server to receive the communication from the one or more readers.3. The system of claim 1, wherein the first communication protocolcomprises at least one of Bluetooth, Bluetooth Low Energy, and WiFi. 4.The system of claim 1, wherein the credential device comprises a visualrepresentation of identification information on a surface thereof. 5.The system of claim 1, wherein the beacon device is configured to holdor attach the credential device to clothing or a body of a user, whereinthe credential device lacks an internal power source.
 6. The system ofclaim 5, wherein the second communication protocol utilizes an inductivecoupling between the first antenna and a reader antenna of the one ormore readers to provide power to the credential device and to exchangeinformation between the credential device and the one or more readers.7. The system of claim 5, wherein a communication range of the firstcommunication protocol is greater than a communication range of thesecond communication protocol.
 8. The system of claim 1, wherein thebeacon device is chargeable by motion of a retractable member.
 9. Thesystem of claim 1, wherein the at least one reader receives a beaconidentifier from the beacon device via the first communication protocol.10. The system of claim 1, wherein the one or more readers and one of asecond reader and a third reader receive a communication from the beacondevice, and further wherein a position of the beacon device isdetermined, at least in part, based on one or more of triangulation,angle of arrival, time of flight, echo detection, and phase detection,using information from the readers that receive the communication fromthe beacon device.
 11. The system of claim 1, wherein the access servercomprises an asset tracking module to determine a location of the beacondevice and the credential device.
 12. The system of claim 1, wherein thebeacon device is chargeable by a solar cell.
 13. The system of claim 1,wherein the access server comprises a validation engine configured toverify that information received by the one or more readers and includedin the communication from the one or more readers originated from thebeacon device, based on pseudo-random sequences of data included in theinformation.
 14. A method of tracking assets in an access controlsystem, comprising: receiving, from a first reader in the access controlsystem, a first communication comprising information about a firstsignal transmitted by a beacon device using a first communicationprotocol; receiving, from the first reader, a second communicationcomprising information about a second signal transmitted by a credentialdevice to the first reader using a second communication protocol,wherein the beacon device is a different device than the credentialdevice, and wherein one of the credential device and the beacon deviceis initially an unknown or anonymous device to the access controlsystem; associating, based on the first and second communications, thebeacon device with the credential device by storing identificationinformation for the beacon device in association with identificationinformation for the credential device within a database; anddetermining, with a processor, a location of the unknown or anonymousdevice based on at least one of the information about the first signaland the information about the second signal.
 15. The method of claim 14,wherein the first communication protocol is Bluetooth, Bluetooth LowEnergy, or WiFi.
 16. The method of claim 14, wherein the secondcommunication protocol utilizes inductive coupling that has a shortercommunication range than the first communication protocol, the methodfurther comprising: determining that a visitor holding the beacon deviceand the credential device is checking out of the access control system;and in response to determining that the visitor is checking out of theaccess control system, disassociating the credential device from thebeacon device by erasing the information from the database that storedthe identification information for the beacon device in association withthe identification information for the credential device.
 17. The methodof claim 14, further comprising: receiving, from a second reader, athird communication comprising additional information about the firstsignal transmitted by the beacon device, wherein the determiningcomprises triangulating a position of the beacon device based on theinformation about the first signal in the first communication and theadditional information about the first signal in the thirdcommunication.
 18. The method of claim 17, wherein the information aboutthe first signal in the first communication and the additionalinformation about the first signal in the third communication eachcomprise signal strength information, and wherein the determiningfurther comprises: utilizing the signal strength information todetermine a first distance between the beacon device and the firstreader and a second distance between the beacon device and the secondreader.
 19. The method of claim 14, further comprising: determining,with the processor, a location of first credential device based on theinformation about the second signal.
 20. The method of claim 14, furthercomprising: disassociating the beacon device from the first credentialdevice; receiving, from the first reader or a second reader in theaccess control system, a third communication comprising informationabout a third signal transmitted by the beacon device using the firstcommunication protocol; receiving, from the first reader or the secondreader, a fourth communication comprising information about a fourthsignal transmitted by a second credential device using the secondcommunication protocol; and associating, based on the first and secondcommunications, the beacon device with the second credential device. 21.An access server comprising: a processor; a communication interface; anda memory, the memory storing information associating an individual and acredential device and associating the credential device and a separatebeacon device, wherein the beacon device is initially an unknown oranonymous device to the access server, wherein the memory further storesinstructions for execution by the processor that, when executed by theprocessor, cause the processor to: determine a position of the beacondevice based on first information received via the communicationinterface from a first reader and second information received via thecommunication interface from a second reader, the first and secondinformation comprising signal strength information about a signalreceived by the first reader and the second reader from the beacondevice; and associate the unknown or anonymous beacon device with thecredential device by storing information for the beacon device inassociation with information for the credential device within adatabase.
 22. The access server of claim 21, wherein the memory storesadditional instructions for execution by the processor that, whenexecuted by the processor, further cause the processor to: determine aposition of the credential device based on third information receivedvia the communication interface from the first reader, the secondreader, or a third reader, the third information evidencing acommunication between the credential device and the first reader, thesecond reader, or the third reader.
 23. The access server of claim 22,wherein the first and second information further comprise informationabout a signal received by the beacon device from the credential device.24. The access server of claim 21, wherein the determining a position ofthe beacon device utilizes at least one of Received Signal StrengthIndication, Time of Flight, Angle of Arrival, phase detection, and echodetection.